Using the DLL side-loading approach and a legitimate software associated with the Eclipse Foundation, a trojan battle that distributes the XLoader malware has been uncovered.
” The legitimate application used in the attack, jarsigner, is a file created during the installation of the IDE package distributed by the Eclipse Foundation”, the AhnLab SEcurity Intelligence Center ( ASEC ) . ” It is a tool for signing JAR ( Java Archive ) files”.
The ransomware is being spread through a compressed ZIP archive, which includes the genuine file as well as the sideloaded DLLs, according to the South Korean cybersecurity firm.
Documents2012. file, a renamed edition of the genuine jarsigner. pdf linear jli. exe, a DLL record that’s modified by the threat actor to decipher and add concrt140e. exe concrt140e. debugger, the XLoader load
The harm chain crosses over to the harmful cycle when” Documents2012. pdf” is run, triggering the implementation of the compromised” jli. doc” collection to fill the XLoader malware.
” The distributed concrt140e. DLL files are encrypted payloads that are injected into the genuine record aspnet_wp after being decrypted during the attack process. files for execution”, ASEC said.
” The injected malware, XLoader, steals sensitive information such as the user’s Desktop and computer data, and does various activities such as downloading more ransomware”.
XLoader, a form of Formbook trojan, was first in the wild in 2020. It’s available for sale to other criminal actors under a Malware-as-a-Service ( MaaS ) model. A mac version of the data grabber and malware that resembled Microsoft Office was in August 2023.
In a two-part report released this month, Zscaler ThreatLabz reported that “XLoader versions 6 and 7 include more subterfuge and encryption layers to protect vital script and information to fight signature-based detection and impede reverse engineering efforts.
“XLoader has developed methods that SmokeLoader had previously employed,” according to the article.
Further investigation into the malware’s use of hard-coded decoy lists has revealed how it combines traffic to legitimate websites with real command-and-control ( C2 ) network communications. Using various keys and algorithms, both the decoys and real C2 servers are encrypted.
The intention behind using decoys is to generate network traffic to legitimate domains in order to conceal real C2 traffic, just like in the case of <a href="https://thehackernews.com/2014/07/-Malware-Computer-hacking-Trojan.html” rel=”noopener” target=”_blank”>malware families like .
The SmartApeSG ( also known as ZPHP or HANEYMANEY ) threat actor has also DLL side-loading to deliver via legitimate websites that have been hacked with JavaScript web injections, with the remote access trojan acting as a conduit to drop the stealer.
The development comes as Zscaler detailed two other malware loaders named and that has been used to distribute a wide range of information stealers, cryptocurrency miners, and botnet malware such as , , , , and .
” RiseLoader and share several similarities in their network communication protocols, including message structure, the initialization process, and payload structure”, it noted. These overlaps may indicate that the same threat actor is responsible for both malware families.