TxHollower

Trojan Loaders are pieces of malware designed to bypass commonly used security measures by making use of a wide array of code obfuscation techniques. These loaders are not dangerous by themselves, but they are always used in combination with a more sophisticated piece of malware that serves as a secondary payload – thanks to the loader, the other piece of malware may be able to infiltrate a computer despite the presence of anti-malware software.

TxHollower Brings LokiBot and FormBook Copies

One of the recently discovered Trojan Loaders is called TxHollower, and it appears to have already been used to deliver high-profile threats such as LokiBot and FormBook. Trojan Loaders share a lot of similarities with Trojan Droppers, but there is one easy way to distinguish them – while droppers usually fetch a payload from a remote server, the loader and the payload are combined in a single file.

The primary tricks that TxHollower uses to bypass security measures are known as process doppelganging and process hollowing. The latter is executed by tampering with the memory of a legitimate process and replacing its memory with malicious code from the payload, therefore fooling low-quality antivirus software into thinking that there is nothing out of the ordinary. Process doppelganging, on the other hand, is a bit more complicated to execute but it is certainly not a new trick – the attackers make use of an old exploit in Windows NTFS transactions that enables them to disguise a malicious program as a legitimate process once again.

This Trojan Loader Evades Antivirus Software and Simulated Environments

TxHollower is also capable of detecting the presence of antivirus software on the victim's computer and halting its operations if it determines that its attack will not work. While cybercriminals are constantly looking for new ways to bypass security measures, you can rest assured that your PC will be protected as long as you use a reputable and regularly updated antivirus tool.