FlagThis

CyberSecurity updates
2025-02-22 02:07:05 Pacfic
info@thehackernews.com (The Hacker News) @ The Hacker News
Cybercriminals Abuse Jarsigner to Deploy XLoader Malware - 1d
Read more: thehackernews.com

Cybercriminals are exploiting the legitimate Eclipse Jarsigner tool to deploy the XLoader malware, using a DLL side-loading technique. Researchers at AhnLab Security Intelligence Center (ASEC) discovered the campaign, which involves packaging a legitimate jarsigner.exe executable, a tool used for signing Java Archive (JAR) files, with malicious DLL files inside a compressed ZIP archive. When the legitimate executable is run, the malicious DLLs are loaded, triggering the XLoader malware infection. This method allows the malware to evade security defenses by exploiting the trust associated with a legitimate application.

The attack sequence starts with a renamed version of jarsigner.exe (Documents2012.exe) executing, which then loads a tampered "jli.dll" library. This malicious DLL decrypts and injects "concrt140e.dll," the XLoader payload, into a legitimate process (aspnet_wp.exe). XLoader is designed to steal sensitive information, including user credentials, browser data, and system information. The malware can also download and execute additional malicious payloads. Users are advised to exercise caution when handling compressed files with executable files and accompanying DLLs from unverified sources.

Original img attribution: https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdsqB3nqqLxmQlsFfD52zU2f8CLICSVtuUtIF7sAFWRBqIkz3rxDjl11t6J6kar_TfRTaSL5paw7yb21FHyihz19fZcDGlVNy5tw4uNkPO-xN4kgPvuH2jcjMm-oHXmAAcD0ILSq00OFCmscQkntR3mgHobGAFOBYeYgf6ry9uBVNYAeQl7UfeHTLOPIen/s728-rw-e365/jar-code.png
ImgSrc: blogger.googleusercontent.com
References:

Classification:

This site is an experimental news aggregator using feeds I personally follow. You can provide me feedback using this form or using Bluesky.