In a cunning development in the cybercrime landscape, hackers have begun leveraging a legitimate JAR file signing tool, jarsigner from the Eclipse Foundation, to deploy the notorious XLoader malware. The cyber criminals have devised an elaborate campaign wherein they conceal their malicious payload in compressed ZIP archives using legitimate applications. The ZIP archive typically contains a renamed jarsigner.exe file (labeled as Documents2012.exe), a tampered jli.dll file, and an encrypted XLoader payload designated as concrt140e.dll. Once the unsuspecting user executes Documents2012.exe, it activates the modified jli.dll, which in turn decrypts and injects XLoader into the trusted aspnet_wp.exe process. This deceptive strategy culminates in the theft of sensitive user information and the download of additional malicious software.
Malicious Utilization of Legitimate Tools
The use of legitimate applications to obscure malicious intents is a growing trend in the evolution of malware. XLoader epitomizes this trend by implementing advanced obfuscation and encryption methods to escape detection. As a direct successor to Formbook, XLoader has been upgraded with techniques such as runtime code encryption and NTDLL hook evasion, which were previously observed in malware such as SmokeLoader. Furthermore, XLoader operates under a Malware-as-a-Service (MaaS) model, allowing it to be rented out to various threat actors. This model has greatly expanded its reach and potential harm.
An additional layer of XLoader’s sophistication is its ability to camouflage command-and-control (C2) network traffic within legitimate website traffic. By utilizing hard-coded decoy lists, the malware blends C2 communications with normal web activities, thus evading many detection mechanisms. This technique is not exclusive to XLoader and has been employed by other malware families such as Pushdo. The blending of C2 traffic with legitimate traffic highlights not only the ingenuity of cyber criminals but also the ongoing challenge faced by cybersecurity professionals in distinguishing between benign and malicious operations.
Evolution and Adaptability of XLoader
DLL side-loading, a method employed by XLoader, is far from a new tactic in the realm of cyber attacks. Threat groups, like the one labeled SmartApeSG, have exploited this method to install other malware such as NetSupport RAT and StealC stealer. The process of DLL side-loading involves hijacking a legitimate application to load a malicious DLL file, effectively circumventing common security measures. The perennial use of this technique underscores its effectiveness and the necessity for heightened vigilance in detecting such maneuvers.
In parallel, cybersecurity firm Zscaler has identified new malware loaders, namely NodeLoader and RiseLoader, which are being utilized to distribute a variety of malicious payloads. These include information stealers, cryptocurrency miners, and botnet malware, illustrating the broad spectrum of threats facilitated by advanced loaders. The ongoing development and refinement of these loaders demonstrate the relentless drive of cyber criminals to enhance their tools and adapt to new security defenses. The persistence of these sophisticated methods calls for a continuous evolution of cybersecurity strategies to effectively counter emerging threats.
Emphasizing the Need for Advanced Detection and Prevention
The growing trend of using legitimate applications for malicious purposes is evident in the evolution of malware. XLoader exemplifies this trend by using advanced obfuscation and encryption techniques to evade detection. As the direct successor to Formbook, XLoader incorporates methods like runtime code encryption and NTDLL hook evasion, previously seen in malware such as SmokeLoader. XLoader operates under a Malware-as-a-Service (MaaS) model, making it available for rent to various cybercriminals, significantly increasing its reach and potential damage.
Furthermore, XLoader’s sophistication includes its ability to disguise command-and-control (C2) network traffic by blending it with legitimate website traffic. Using hard-coded decoy lists, the malware masks C2 communications within normal web activities, evading many detection mechanisms. This technique is shared by other malware families, such as Pushdo. The ability to blend C2 traffic with legitimate traffic underscores the ingenuity of cyber criminals and the continuous challenge for cybersecurity professionals in differentiating between benign and harmful activities.