Cybersecurity researchers have uncovered a sophisticated campaign where threat actors leverage pirated game downloads to distribute HijackLoader, a modular malware loader, effectively bypassing common defenses like adblockers and Microsoft Defender SmartScreen.
Sites such as Dodi Repacks, often deemed “safe” on piracy forums when used with tools like uBlock Origin, serve as vectors for this malware.
Users attempting to download cracked games are redirected through domains like zovo[.]ink and downf[.]lol to MEGA-hosted ZIP archives containing nested .7z files.
These archives disguise malicious payloads within seemingly legitimate files, such as oversized DLLs like DivXDownloadManager.dll, which exceed sandbox upload limits to evade automated analysis.
Malware Distribution Through Piracy Networks
Despite adblockers, the infection chain proceeds, debunking claims that such tools provide adequate protection.
Analysis reveals that the malware employs module stomping on system DLLs like shell32.dll, decrypting configurations from files like quintillionth.ppt and paraffin.html using SIMD-accelerated XOR loops and LZNT1 decompression.
This setup loads subsequent stages, including anti-VM checks for hypervisors, RAM thresholds, and process counts, ensuring execution only on suitable victim machines.
HijackLoader’s modular architecture supports up to 40 components, with the “ti” module handling API resolution via CRC32 hashes, stack spoofing through Heaven’s Gate syscalls, and unhooking of ntdll.dll and wow64cpu.dll to evade EDR tools.
It disables WOW64 redirection, spoofs return addresses using random exports from DLLs like shdocvw.dll, and performs time-based anti-debugging via RDTSC and CPUID differentials.
Payload Deployment
Persistence is achieved through LNK files in startup folders, scheduled tasks via modTask, or BITS transfers, with self-elevation using modUAC exploiting runas or CMSTPLUA.
Injection targets legitimate executables like choice.exe or signed binaries such as XPFix.exe from Qihoo 360, employing process hollowing without CREATE_SUSPENDED flags by piping input to resume threads.
For AV evasion, it detects products like Avast, AVG, and Kaspersky via process hashes, disables Windows Defender exclusions via elevated PowerShell commands, and deploys payloads like LummaC2 stealer.
Final injection involves decrypting payloads with XOR keys, resolving relocations, and executing via modules like rshell or ESAL, often mapping transacted sections with tinystub PE files rolled back post-injection.
This campaign extends beyond gaming sites, infiltrating platforms like TIDAL playlists linking to malicious archives on up-community[.]net and weeklyuploads[.]click, highlighting widespread abuse of cracked software searches on Google.
Active development in modules like ti and rshell underscores HijackLoader’s evolution, previously linked to families including Remcos, Vidar, and Redline Stealer.
Indicators of Compromise (IOCs)
| Category | Description | Details |
|---|---|---|
| Domains | High-risk redirect sites | directsnap.click, readyf1.lol, weeklyuploads.click |
| File Names | Malicious files and payloads | DivXDownloadManager.dll (DLL/HijackedExecution.A, SHA256: 5649F7535E388572096DDDCF3C50A66C51D189F31DC7769470E9A78C5B2EC34C); quintillionth.ppt (Generic Trojan.XAE, SHA256: 8EF22B49AF1D7E67657BCFAC9D02DD1BFCC1D3AE20D1BBCB1A60C99D023D18D5); paraffin.html (Trojan/HijackLoader.RW, SHA256: 0D24D4E72B7B22017C6FDE7B1A2DC1A1E1AD63B97B5811DC02C221AA68D9D00C); LummaC2 payload (ACL/Malware Generic.BRHJ, SHA256: E575A3A2FBF1916D3AFB0A1ABFD8479C02B5B677550883F9A5D0E22EE738030A); blackthorn.vhd (Trojan/HijackLoader.RW, SHA256: 04677C4C70D9F61F011B0AC744F2DC5353AC0D1B4AA5D9EC37A291968D2A0B79); MSIL Trojan (T-TRO-ZZA, SHA256: EECDEA0F63F4E54D8EFB542700F37DA98865C0735D66D8ECF7E5E81AA64CFF20) |
AWS Security Services: 10-Point Executive Checklist - Download for Free
Source link
