A malware campaign distributing the XLoader malware has been observed using the DLL side-loading technique by making use of a legitimate application associated with the Eclipse Foundation.
“The legitimate application used in the attack, jarsigner, is a file created during the installation of the IDE package distributed by the Eclipse Foundation,” the AhnLab SEcurity Intelligence Center (ASEC) said. “It is a tool for signing JAR (Java Archive) files.”
The South Korean cybersecurity firm said the malware is propagated in the form of a compressed ZIP archive that includes the legitimate executable as well as the DLLs that are sideloaded to launch the malware –
Documents2012.exe, a renamed version of the legitimate jarsigner.exe binary jli.dll, a DLL file that’s modified by the threat actor to decrypt and inject concrt140e.dll concrt140e.dll, the XLoader payload
The attack chain crosses over to the malicious phase when “Documents2012.exe” is run, triggering the execution of the tampered “jli.dll” library to load the XLoader malware.
“The distributed concrt140e.dll file is an encrypted payload that is decrypted during the attack process and injected into the legitimate file aspnet_wp.exe for execution,” ASEC said.
“The injected malware, XLoader, steals sensitive information such as the user’s PC and browser information, and performs various activities such as downloading additional malware.”
A successor to the Formbook malware, XLoader was first detected in the wild in 2020. It’s available for sale to other criminal actors under a Malware-as-a-Service (MaaS) model. In August 2023, a macOS version of the information stealer and keylogger was discovered impersonating Microsoft Office.
“XLoader versions 6 and 7 include additional obfuscation and encryption layers meant to protect critical code and information to defeat signature-based detection and complicate reverse engineering efforts,” Zscaler ThreatLabz said in a two-part report published this month.
“XLoader has introduced techniques that were previously observed in SmokeLoader, including encrypting parts of code at runtime and NTDLL hook evasion.”
Further analysis of the malware has revealed its use of hard-coded decoy lists to blend real command-and-control (C2) network communications with traffic to legitimate websites. Both the decoys and real C2 servers are encrypted using different keys and algorithms.
Like in the case of malware families like Pushdo, the intention behind using decoys is to generate network traffic to legitimate domains in order to disguise real C2 traffic.
DLL side-loading has also been abused by the SmartApeSG (aka ZPHP or HANEYMANEY) threat actor to deliver NetSupport RAT via legitimate websites compromised with JavaScript web injects, with the remote access trojan acting as a conduit to drop the StealC stealer.
The development comes as Zscaler detailed two other malware loaders named NodeLoader and RiseLoader that has been used to distribute a wide range of information stealers, cryptocurrency miners, and botnet malware such as Vidar, Lumma, Phemedrone, XMRig, and Socks5Systemz.
“RiseLoader and RisePro share several similarities in their network communication protocols, including message structure, the initialization process, and payload structure,” it noted. “These overlaps may indicate that the same threat actor is behind both malware families.”
