A recent malware campaign has been identified, utilizing the XLoader malware, which employs the DLL side-loading technique. This technique leverages a legitimate application associated with the Eclipse Foundation to distribute the malware.
According to the AhnLab Security Intelligence Center (ASEC), the legitimate application used in the attack is jarsigner, a file created during the installation of the IDE package distributed by the Eclipse Foundation. Jarsigner is a tool used for signing JAR (Java Archive) files.
The malware is propagated in the form of a compressed ZIP archive that includes the legitimate executable, as well as the DLLs that are sideloaded to launch the malware. These files include:
Documents2012.exe, a renamed version of the legitimate jarsigner.exe binary, jli.dll, a DLL file modified by the threat actor to decrypt and inject concrt140e.dll, and concrt140e.dll, the XLoader payload.
The attack chain transitions to the malicious phase when “Documents2012.exe” is executed, triggering the execution of the tampered “jli.dll” library to load the XLoader malware.
ASEC explained that the distributed concrt140e.dll file is an encrypted payload that is decrypted during the attack process and injected into the legitimate file aspnet_wp.exe for execution.
The injected malware, XLoader, steals sensitive information, such as the user’s PC and browser information, and performs various activities, including downloading additional malware.
XLoader, a successor to the Formbook malware, was first detected in the wild in 2020. It is available for sale to other criminal actors under a Malware-as-a-Service (MaaS) model. In August 2023, a macOS version of the information stealer and keylogger was discovered impersonating Microsoft Office.
According to Zscaler ThreatLabz, XLoader versions 6 and 7 include additional obfuscation and encryption layers to protect critical code and information, making it challenging to detect and reverse-engineer.
XLoader has introduced techniques that were previously observed in SmokeLoader, including encrypting parts of code at runtime and NTDLL hook evasion.
Further analysis of the malware revealed its use of hard-coded decoy lists to blend real command-and-control (C2) network communications with traffic to legitimate websites. Both the decoys and real C2 servers are encrypted using different keys and algorithms.
Similar to other malware families, such as Pushdo, the intention behind using decoys is to generate network traffic to legitimate domains to disguise real C2 traffic.
Source Link
