Summary:
AhnLab Security Intelligence Center (ASEC) has reported the distribution of XLoader malware utilizing DLL side-loading techniques. This method involves placing a malicious DLL alongside a legitimate application, allowing the malware to execute when the application runs. The attack leverages a legitimate file from the Eclipse Foundation, jarsigner, and includes malicious files that perform decryption and injection of the XLoader payload.
Keypoints:
- AhnLab SEcurity intelligence Center (ASEC) identified XLoader malware distribution.
- The attack uses DLL side-loading techniques.
- Legitimate application involved is jarsigner from the Eclipse Foundation.
- Malicious files include jli.dll and concrt140e.dll.
- Documents2012.exe is a renamed legitimate file that loads the malicious DLL.
- The malicious jli.dll has tampered export functions that execute threat actor’s functions.
- concrt140e.dll serves as an encrypted payload for XLoader malware.
- XLoader malware steals sensitive information and can download additional malware.
- Users should be cautious of files distributed with executable files.
MITRE Techniques
- DLL Side-Loading (T1218.011): Utilizes a legitimate application to load a malicious DLL, enabling execution of the malware.
- Credential Dumping (T1003): XLoader malware may collect sensitive information from the user’s system.
IoC:
- [File Hash] 42f5b18d194314f43af6a31d05e96f16
- [File Hash] 8e6763e7922215556fa10711e1328e08
- [URL] http[:]//www[.]datarush[.]life/uhtg/
Full Research: https://asec.ahnlab.com/en/84574/