Windows users have received a stark reminder regarding the potential dangers of saving large files on their PCs, particularly when it comes to solid-state drives (SSDs). However, a new warning has emerged that installing free games could pose even greater risks as cybercriminals ramp up their activities.
Malicious Downloads and the Threat of HijackLoader
The focus of concern is on pirated games, specifically those distributed by Dodi Repacks, a site that has been deemed safe by various piracy forums. A recent investigation by a Trellix researcher revealed a complex network of redirects that occurs when attempting to download a free game. This process ultimately leads to the installation of dangerous malware capable of hijacking your PC, disabling security software, and deploying additional malicious programs.
Upon clicking to download a popular game from the site, users are directed through multiple redirects that culminate in a ZIP archive. This archive contains a .dll file exceeding half a gigabyte in size—a common strategy employed by threat actors to evade detection by online scanners and sandboxes, which often impose size limits on uploads.
Within this oversized file lies a call that should not be present, triggering a malicious function that executes scripts on the user’s PC to install the aptly named HijackLoader malware. Notably, this malware is designed to bypass standard antivirus protections. Trellix highlights that even with an adblocker like uBlock Origin installed, users remain vulnerable, debunking the myth prevalent on piracy forums that such measures ensure safety when downloading pirated software.
Security software bypasses.
Trellix
According to CyberPress, those who choose to engage with these pirated downloads should be aware that HijackLoader employs advanced anti-analysis and anti-debugging techniques:
- Checks for virtual machines through hypervisor and vendor ID inspections.
- Monitors RAM and processor counts to evade detection in sandboxes.
- Verifies system artifacts such as usernames and computer names.
If the malware passes these checks, it establishes persistence by manipulating environment variables, copying components to the %APPDATA% directory, and executing its payload using custom mutex logic. The primary objective of HijackLoader is to load additional malware onto the infected PC while evading detection from Microsoft and other security measures, thereby placing all data on the machine at risk.
Zscaler reports that HijackLoader not only facilitates the delivery of secondary payloads but also includes various modules that enhance its capabilities. This loader has been linked to numerous malware families, including Danabot, SystemBC, and RedLine Stealer, significantly amplifying its threat level.
Trellix further notes that in recent instances, the final payload deployed by HijackLoader has predominantly been LummaC2. However, a range of other malware families have previously utilized HijackLoader, including:
- Tofsee
- Remcos
- Vidar
- xWorm
- Redline Stealer
- Danabot
- Rhadamanthys
- StealC
- XMRig
- Amadey
As the demand for pirated games continues to rise, cybercriminals have adeptly weaponized this trend, posing significant risks to unsuspecting users. The message is clear: caution is imperative when navigating the world of free downloads.
