Cybercriminals Exploit Eclipse Jarsigner to Distribute XLoader Malware via ZIP Files
A new malware campaign has been identified, leveraging the DLL side-loading technique to distribute XLoader malware by exploiting a legitimate application associated with the Eclipse Foundation.
According to the AhnLab Security Intelligence Center (ASEC), “The legitimate application used in this attack, jarsigner, is a file generated during the installation of the IDE package provided by the Eclipse Foundation. It serves as a tool for signing JAR (Java Archive) files.”
The South Korean cybersecurity firm reported that the malware is spread through a compressed ZIP archive containing both the authentic executable and the required DLLs used for sideloading the malware. The ZIP file includes:
Documents2012.exe: A renamed version of the original jarsigner.exe binary.
jli.dll: A DLL file modified by attackers to decrypt and inject the malicious concrt140e.dll.
concrt140e.dll: The actual XLoader malware payload.
The attack transitions to its malicious phase when “Documents2012.exe” is executed, initiating the tampered “jli.dll” library, which in turn loads the XLoader malware.
ASEC explained, “The distributed concrt140e.dll file is an encrypted payload that undergoes decryption during execution, subsequently being injected into the legitimate aspnet_wp.exe process.”
Once injected, XLoader gathers sensitive information, including the victim’s PC and browser data, and facilitates further malicious activities, such as downloading additional malware components.
Evolution of XLoader Malware
XLoader, which evolved from the Formbook malware, first emerged in 2020. Operating under a Malware-as-a-Service (MaaS) model, it is available for sale to cybercriminals. In August 2023, researchers discovered a macOS variant of XLoader disguised as Microsoft Office, indicating its expanding attack surface.
Zscaler ThreatLabz highlighted in a recent report that “XLoader versions 6 and 7 integrate additional obfuscation and encryption techniques aimed at concealing critical code and bypassing signature-based detection, complicating reverse engineering attempts.”
Additionally, XLoader has adopted techniques previously seen in SmokeLoader, including runtime code encryption and NTDLL hook evasion.
Advanced Evasion Tactics
Further examination of XLoader’s behavior has revealed its use of hardcoded decoy lists to mix genuine command-and-control (C2) traffic with legitimate website communications. The decoys and real C2 servers utilize separate encryption keys and algorithms, making detection more challenging.
Similar to tactics used by malware families like Pushdo, XLoader generates traffic to legitimate domains to mask its real C2 operations.
In another instance, DLL side-loading has been exploited by the SmartApeSG (also known as ZPHP or HANEYMANEY) cybercriminal group to deploy NetSupport RAT through legitimate websites infected with JavaScript web injects. This remote access trojan (RAT) then acts as a conduit for deploying StealC malware.
Meanwhile, researchers at Zscaler have detailed two other malware loaders, NodeLoader and RiseLoader, used to distribute various malware strains, including information stealers, cryptocurrency miners, and botnet malware like Vidar, Lumma, Phemedrone, XMRig, and Socks5Systemz.
Researchers observed that RiseLoader and RisePro exhibit several similarities in their network communication protocols, including message structure, initialization process, and payload format. These commonalities indicate that both malware families might be controlled by the same threat actor.
With malware campaigns continually evolving, cybersecurity experts emphasize the importance of heightened vigilance, proactive defense strategies, and robust endpoint protection to mitigate the risks posed by these sophisticated threats.
