Threat Research

XLoader Execution via JAR Signing Tool (jarsigner.exe)

Ahnlab

AhnLab Security Intelligence Center (ASEC) reports XLoader being distributed using DLL side-loading that places malicious DLLs alongside a legitimate jarsigner executable to achieve execution. The campaign uses renamed legitimate files and tampered DLL exports (jli.dll, concrt140e.dll) to decrypt and inject the XLoader payload; users should be cautious of executables bundled with extra files. #XLoader #EclipseFoundation

Keypoints

  • ASEC identified distribution of XLoader using DLL side-loading techniques.
  • The attack leverages the legitimate jarsigner executable from the Eclipse Foundation to load malicious libraries.
  • Malicious files observed include jli.dll (tampered exports) and concrt140e.dll (encrypted payload carrier).
  • Documents2012.exe is a renamed legitimate file used to trigger loading of the malicious DLL.
  • jli.dll contains modified export functions that execute the threat actor’s routines after being loaded.
  • concrt140e.dll holds an encrypted XLoader payload which is decrypted and injected at runtime.
  • XLoader is used to steal sensitive information and can download additional malware; exercise caution with bundled executables.

MITRE Techniques

  • [T1218.011] DLL Side-Loading – Uses a legitimate application to load a malicious DLL so the malware executes (‘placing a malicious DLL alongside a legitimate application, allowing the malware to execute when the application runs.’)
  • [T1003] Credential Dumping – XLoader collects sensitive information from the victim system to exfiltrate credentials and data (‘XLoader malware steals sensitive information and can download additional malware.’)

Indicators of Compromise

  • [File Hash] Malicious file hashes identified – 42f5b18d194314f43af6a31d05e96f16, 8e6763e7922215556fa10711e1328e08
  • [URL] Malicious distribution URL – http[:]//www[.]datarush[.]life/uhtg/
  • [Domain] Hosting domain observed – datarush[.]life
  • [File Name] Malicious or abused filenames – jli.dll (tampered DLL), concrt140e.dll (encrypted XLoader payload)

Read more: https://asec.ahnlab.com/en/84574/ – get from article

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint