CyberSecurity news

FlagThis

info@thehackernews.com (The Hacker News)@The Hacker News //
Cybercriminals are exploiting the legitimate Eclipse Jarsigner tool to deploy the XLoader malware, using a DLL side-loading technique. Researchers at AhnLab Security Intelligence Center (ASEC) discovered the campaign, which involves packaging a legitimate jarsigner.exe executable, a tool used for signing Java Archive (JAR) files, with malicious DLL files inside a compressed ZIP archive. When the legitimate executable is run, the malicious DLLs are loaded, triggering the XLoader malware infection. This method allows the malware to evade security defenses by exploiting the trust associated with a legitimate application.

The attack sequence starts with a renamed version of jarsigner.exe (Documents2012.exe) executing, which then loads a tampered "jli.dll" library. This malicious DLL decrypts and injects "concrt140e.dll," the XLoader payload, into a legitimate process (aspnet_wp.exe). XLoader is designed to steal sensitive information, including user credentials, browser data, and system information. The malware can also download and execute additional malicious payloads. Users are advised to exercise caution when handling compressed files with executable files and accompanying DLLs from unverified sources.
Original img attribution: https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdsqB3nqqLxmQlsFfD52zU2f8CLICSVtuUtIF7sAFWRBqIkz3rxDjl11t6J6kar_TfRTaSL5paw7yb21FHyihz19fZcDGlVNy5tw4uNkPO-xN4kgPvuH2jcjMm-oHXmAAcD0ILSq00OFCmscQkntR3mgHobGAFOBYeYgf6ry9uBVNYAeQl7UfeHTLOPIen/s728-rw-e365/jar-code.png
ImgSrc: blogger.googleu

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • Cyber Security News: Cybercriminals Abuse Jarsigner to Spread XLoader Malware
  • gbhackers.com: Hackers Exploit Jarsigner Tool to Deploy XLoader Malware
  • The Hacker News: Cybercriminals Use Eclipse Jarsigner to Deploy XLoader Malware via ZIP Archives
  • cyberpress.org: Cybercriminals Abuse Jarsigner to Spread XLoader Malware
  • Talkback Resources: Cybercriminals Use Eclipse Jarsigner to Deploy XLoader Malware via ZIP Archives [rev] [mal]
  • gbhackers.com: Hackers Exploit Jarsigner Tool to Deploy XLoader Malware
  • www.scworld.com: Intrusions begin with the spread of a compressed ZIP archive containing a renamed jarsigner.exe file, which when executed prompts the loading of a tampered DLL library and eventual injection of XLoader malware, according to an analysis from the AhnLab Security Intelligence Center.
  • Talkback Resources: XLoader malware campaign uses DLL side-loading with legitimate Eclipse Foundation application, distributing payload in compressed ZIP archive to steal sensitive information and download additional malware, evolving with obfuscation and encryption layers to evade detection, potentially linked to other loaders like NodeLoader and RiseLoader.
Classification:
  • HashTags: #XLoader #Malware #SideLoading
  • Company: Eclipse Foundation
  • Target: Windows users
  • Product: Jarsigner
  • Feature: DLL side-loading
  • Malware: XLoader
  • Type: Malware
  • Severity: Medium