Security researchers at AhnLab Security Intelligence Center (ASEC) have uncovered a new campaign leveraging the legitimate JAR signing tool, jarsigner.exe, to distribute the XLoader malware.
The attack employs a DLL side-loading technique, where malicious DLL files are placed alongside legitimate executable files to ensure their execution when the legitimate application is run.
This method exploits the trust associated with legitimate software to bypass security defenses.
Malicious DLL Side-Loading Technique Identified
The jarsigner tool, a component of the Eclipse Foundation’s Integrated Development Environment (IDE) package, is typically used for signing Java Archive (JAR) files.
However, in this attack, it has been weaponized by bundling it with malicious files in a compressed archive.
The archive contains three key components: a legitimate executable file renamed as Documents2012.exe, and two malicious DLLs jli.dll and concrt140e.dll.
Anatomy of the Attack
The malicious jli.dll serves as the primary enabler of the attack.
Unlike its legitimate counterpart, which contains distinct export functions, this tampered version maps all export functions to a single address, ensuring that any function call triggers the attacker’s code.
This DLL decrypts and injects the second malicious file, concrt140e.dll, into a legitimate process (aspnet_wp.exe), effectively deploying the XLoader malware.
XLoader is an advanced information-stealing malware capable of exfiltrating sensitive data such as browser credentials and system information.
According to ASEC, it can also download additional payloads, amplifying its threat potential.
The malicious files in this campaign lack valid digital signatures, unlike the legitimate components signed by the Eclipse Foundation, making them identifiable upon close inspection.
This attack highlights the dangers of DLL side-loading, where threat actors exploit trust in legitimate software to execute malicious code.
By distributing these files together in compressed archives, attackers aim to deceive users into executing them without suspicion.
To mitigate such threats, users and organizations are advised to:
- Exercise caution when handling executable files bundled with DLLs from unverified sources.
- Regularly update endpoint protection tools to detect unsigned or suspicious DLLs.
- Monitor for anomalous behaviors in trusted applications that could indicate tampered components.
The MD5 hashes associated with this campaign (42f5b18d194314f43af6a31d05e96f16 and 8e6763e7922215556fa10711e1328e08) and suspicious URLs (e.g., http[:]//www[.]datarush[.]life/uhtg/) should be actively blocked in security systems.
As attackers continue refining their techniques, proactive measures remain critical to safeguarding systems against sophisticated threats like XLoader.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response and Threat Hunting – Register Here