New Loader Variant Behind Widespread Malware Attacks

malware keylogger

Malware infection technique called TxHollower gets updated with stealthy features.

Behind a recent wave of cyberattacks, pelting PCs with FormBook, LokiBot, SmokeLoader malware, is an updated version of a malware-loading technique called TxHollower. It is described as a new “significant threat”, according to researchers, who added, attacks using TxHollower have “spread like wildfire” over the past year.

Ensilo researchers, tracking TxHollower, said on Thursday, part of the uptick is tied to improved features that allow adversaries to more effectively sneak malware past some antivirus software defenses.

“The samples we are seeing today are far more stealth,” said Udi Yavo, CTO and co-founder of Ensilo in an interview with Threatpost. Improvements include TxHollower being able to lay dormant if AV software is detected and in other cases being able to bypass user-mode hooks used by AV software to detect malware.

TxHollower is what is known as a malware loader, a type of malicious code that specializes in loading a second-stage malware payload onto a victim’s system. Unlike dropper malware, that downloads malicious files from a command-and-control server, loaders hide a malware payload inside the actual loader code.

“This loader is a significant threat, besides [distributing] GandCrab, that closed up shop earlier this year, it delivers over a dozen other payloads like FormBook, LokiBot, SmokeLoader, AZORult, NetWire, njRat and Pony stealer,” wrote Omri Misgav, security research team leader at Ensilo, in a blog post outlining the infection technique.

Yavo said the TxHollower has received a significant update by an unknown criminal group or groups since researchers first began tracking it last year. He suspects the malware is being distributed on black markets online, which explains wider adoption of the malware.

“The wide variety and circulation of payloads make it easy to assume TxHollower is bundled with some offensive framework or exploit kit,” Misgav wrote.

TxHollower is a hybrid of sorts, using techniques borrowed from two loader-malware families called Process Doppelgänging and second called Process Hollowing. Process Doppelgänging is similar to Process Hollowing, where adversaries replace the memory of a legitimate process with malicious code, thereby evading antivirus process monitoring tools.

With Process Doppelgänging, the result is the same as Process Hollowing; however, attackers abuse Windows NTFS transactions and an outdated implementation of the Windows process loader. Researchers said the main purpose of the technique is to use NTFS transactions to launch a malicious process from the transacted file so that the malicious process looks like a legitimate one.

“We decided to name the loader TxHollower because Transactional NTFS APIs are abbreviated ‘TxF’ in the docs and Malwarebytes dubbed the specific implementation ‘Transacted Hollowing,'” wrote Ensilo.

The ability of the TxHollower technique to sneak malware past security measures represents a significant threat, Yavo said. It’s not surprisingly this technique has quickly been seized upon by attackers, he said.

“Usage of process doppelgänging-like techniques in-the-wild is increasing, which may suggest that not all security products have adopted and are not yet able to detect or prevent them,” Misgav said.

The earliest sample of TxHollower was identified in October, 2018. “The latest version of the loader is the most prevalent in the wild and the second version remains in constant use throughout all this time,” Misgav wrote. The most common payloads are SmokeLoader, NetWire and Remcos RAT.

Suggested articles