In its most recent iteration, a novel form of malicious software known as Seize Lifter has been detected employing an updated array of techniques aimed at thwarting analysis efforts and slipping past detection systems.
“These improvements are designed to enhance the surreptitious nature of the malware, thereby prolonging its ability to operate undetected,” remarked Muhammed Irfan V A, a researcher at Zscaler ThreatLabz, in a detailed technical analysis.
Seize Lifter, also referred to as IDAT Lifter, is a form of malware loader initially identified by the cybersecurity firm in September 2023. Since then, it has functioned as a conduit for delivering various strains of malware.
These include Amadey, Lumma Thief (alternatively known as LummaC2), Meta Thief, Racoon Thief V2, Remcos Remote Access Trojan (RAT), and Rhadamanthys.
What distinguishes the latest version is its utilization of a technique involving the decryption and parsing of a PNG image to initiate the next phase of payload deployment, a tactic initially outlined by Morphisec in relation to a campaign targeting Ukrainian entities situated in Finland.
According to Zscaler, the loader is equipped with a primary phase responsible for extracting and initiating the secondary phase from a PNG image, which may either be embedded within it or obtained separately based on the malware’s configuration.
“The primary objective of the secondary phase is to infuse the primary instrumentation module,” elucidated Irfan. “In order to enhance stealth capabilities, the secondary phase of the loader employs a multitude of anti-analysis techniques through various modules.”
Instances of Seize Lifter artifacts detected in the wild during March and April 2024 also integrate up to seven new modules designed to facilitate the creation of new processes, execute UAC circumvention, and include an exclusion for Windows Defender Antivirus via a PowerShell directive.
Further bolstering the malware’s covert operations is its adoption of the Heaven’s Gate technique to evade user mode hooks, as previously divulged by CrowdStrike in February 2024.
“Amadey has been the most prevalent family delivered by Seize Lifter,” noted Irfan. “The initiation of the secondary phase entails the utilization of an embedded PNG image or one fetched from the internet. Moreover, additional modules have been incorporated into Seize Lifter, augmenting its capabilities and fortifying its resilience.”
These developments occur amidst a backdrop of malware campaigns disseminating various families of malware loaders such as DarkGate, FakeBat (alternatively known as EugenLoader), and GuLoader through malvertising and phishing assaults.
This trend is accompanied by the emergence of an information-stealing malware dubbed TesseractStealer, distributed by ViperSoftX, which harnesses the open-source Tesseract optical character recognition (OCR) engine to extract text from image files.
“The malware is primarily focused on acquiring specific data pertaining to credentials and cryptocurrency wallet details,” stated Symantec, a subsidiary of Broadcom. “In addition to TesseractStealer, recent ViperSoftX operations have also been observed deploying another payload from the Quasar RAT malware family.”
