Cybercriminals Deploy XLoader Malware Using Eclipse Jarsigner in ZIP Archives

Home/BOTNET, Internet Security, malicious cyber actors, Malware, Security Advisory, Security Update, Tips/Cybercriminals Deploy XLoader Malware Using Eclipse Jarsigner in ZIP Archives

Cybercriminals Deploy XLoader Malware Using Eclipse Jarsigner in ZIP Archives

A malware campaign spreading XLoader malware uses DLL side-loading by exploiting a legitimate Eclipse Foundation tool, jarsigner, which is part of the IDE package. The malware is distributed via ZIP archives containing the executable and sideloaded DLLs to execute the attack.

All about XLoader Malware

The attack starts when “Documents2012.exe,” a renamed jarsigner.exe file, runs. It triggers the modified “jli.dll” library, which decrypts and injects the XLoader payload, “concrt140e.dll.”

This payload is decrypted during the attack and injected into the legitimate “aspnet_wp.exe” for execution. Once activated, XLoader steals sensitive data, including PC and browser information, and can also download additional malware.

XLoader, a successor to Formbook malware, was first spotted in 2020 and is sold under a Malware-as-a-Service (MaaS) model. A macOS version impersonating Microsoft Office was found in August 2023.

Versions 6 and 7 feature added obfuscation and encryption to evade signature-based detection and hinder reverse engineering, according to Zscaler ThreatLabz.

XLoader has adopted techniques seen in SmokeLoader, such as encrypting parts of its code during runtime and evading NTDLL hooks.

Further analysis reveals that XLoader uses hard-coded decoy lists to mix real command-and-control (C2) traffic with traffic to legitimate websites. Both decoy and real C2 servers are encrypted using different keys and algorithms. Similar to malware like Pushdo, this tactic generates network traffic to legitimate domains to hide the true C2 traffic.

The SmartApeSG (also known as ZPHP or HANEYMANEY) threat actor uses DLL side-loading to deliver the NetSupport RAT via compromised websites, which then drops the StealC stealer.

Zscaler also reported on two other malware loaders, NodeLoader and RiseLoader, used to distribute various information stealers, cryptocurrency miners, and botnet malware like Vidar, Lumma, Phemedrone, XMRig, and Socks5Systemz.

The two malware families, RiseLoader and RisePro, share similarities in their network communication, message structure, and payload, suggesting they may be from the same threat actor.

IOCs

MD5

42f5b18d194314f43af6a31d05e96f16

8e6763e7922215556fa10711e1328e08

URL

http[:]//www[.]datarush[.]life/uhtg/

Post Views: 85
By | 2025-02-21T03:55:02+05:30 February 21st, 2025|BOTNET, Internet Security, malicious cyber actors, Malware, Security Advisory, Security Update, Tips|

About the Author:

FirstHackersNews- Identifies Security

Related Posts

Leave A Comment

Subscribe to our newsletter to receive security tips everday!