Malware campaigns that distribute Xloader malware have been observed using DLL sideloading techniques by using legitimate applications related to Eclipse Foundation.
“Jarsigner, the legal application used in attacks, is a file created during the installation of IDE packages distributed by the Eclipse Foundation,” says Ahnlab Security Intelligence Center (ASEC). “It’s a tool for signing JAR (Java Archive) files.”
The Korean cybersecurity company said the malware is being propagated in the form of a compressed ZIP archive containing side-loaded DLLs to launch the malware.
document2012.exe, the renamed version of the legitimate jarsigner.exe binary jli.dll, the dll file modified by the threat actor, has been modified to decrypt and inject concrt140e.dll.
When “documents2012.exe” is executed, the attack chain will run over a malicious phase and trigger the execution of the “jli.dll” library that has been tampered with to load the xloader malware.
“The distributed CONCRT140E.DLL file is an encrypted payload that is decrypted during the attack process and injected into the legitimate file ASPNET_WP.EXE for execution,” ASEC said.
“Injected malware, Xloader, steals sensitive information such as user PC and browser information, and performs various activities such as downloading additional malware.”
Xloader, the successor to the Formbook malware, was first detected in Wild in 2020. It is sold to other criminals under the Malware as a Service (MAAS) model. In August 2023, it was discovered that MacOS versions of Information Stealer and KeyLogger were impersonating Microsoft Office.
“Xloader versions 6 and 7 include additional obfuscation and encryption layers to protect critical code and information to beat signature-based detection and complicate reverse engineering efforts. “We’ll be doing that,” Zscaler Threatlabz said in a two-part report released this month.
“Xloader introduced previously observed techniques in the smoke loader, which encrypts some of the code at runtime and includes NTDLL hook avoidance.”
Further analysis of the malware revealed that hard-coded decoil lists were used to reveal the blending of actual command and control (C2) network communications with traffic to legitimate websites. Both the decoy and the actual C2 server are encrypted using different keys and algorithms.
As with malware families like Pushdo, the intent behind using decoys is to generate network traffic in legitimate domains to hide actual C2 traffic.
DLL sideloading has also been abused by the threat of Smartapesg (aka ZPHP or Haneymaney) and provides net support rats through legal websites compromised with JavaScript Web Injection, and remote access trojans can be used to STEALC It acts as a conduit to drop theft.
This development will be used by Zscaler to provide detailed explanations of two other malware loaders named Nodeloader and Riseloader, and to distribute a wide range of information stolen goods, cryptocurrency miners, and botnet malware such as Vidar, Lumma, Phemedrone, Xmrig, Socks5Systemz. is used in.
“Riseloader and Risepro share some similarities in network communication protocols, including message structure, initialization process, and payload structure,” he said. “These duplications may indicate that the same threat actors are behind both malware families.”
Source link
