A malicious program that distributes malicious Xloader software was observed using Dll boot technique Using the legitimate application associated with the Eclipse Foundation.
“A legitimate application used in the attack, Jarsigner, is a file created during the Eclipse Foundation Distributed Fund,” AHNLAB (ASEC) (ASEC) (ASEC) (ASEC) Center (ASEC) Center (ASEC) Center (ASEC) – Note. “This is a tool for signing the JAR files (Java Archive).”
South Korean cybersecurity firm said malicious software is distributed as a compressed ZIP archive, which includes a legal executable file, as well as dll, which are loaded to launch malware –
Documents2012.exe, renamed version of the legitimate Jarsigner.exe Binary Jli.dll, the DLL file, which is changed by the actor threatening to decipher and introduce the concrt140e.dll concrt140e.dll, kailoder keapload
The attack network goes to the malicious phase when “Documents2012.exe” is launched, which causes the fake “Jli.dll” to load the malicious Xloader software.
“The accert140e.dll file is an encrypted useful load that is deciphered during the attack process and is introduced into the legal aspnet_wp.exe to execute,” ASEC said.
“Injectable malicious software, Xloader, stealing secret information, such as PC and browser information, and performs various activities such as downloading additional malware.”
The successor of Malware Formbook, Xloader was first discovered in the wild in 2020. It is available on sale to other criminals within the malware model (MAAS). In August 2023, there was a Macos Information Theft and Keylogger detected By betraying Microsoft Office.
“The Xloader 6 and 7 versions include additional layers of building and encryption designed to protect critical code and information to defeat signature -based detection and complicate back engineering,” ZSCALER OPHERLABZ – Note In a two -part report published this month.
“Xloader introduced the methods previously observed in Smokeloader, including encryption of the code parts while performing and eliminating Hook NTDll.”
Further analysis of malicious software showed the use of lists of rigid coded bait to mix network communications of real teams and control (C2) with traffic on legal websites. Both bait and real C2 servers are encrypted with different keys and algorithms.
As in the case Families malicious programs allegedly PushdoThe intention to use bait is to create network traffic into legal domains to mask real traffic C2.
Also was loaded lateral boot flooring from Smartapesg (aka Zphp or HaneyMmey) Acting threat to deliver Netsupport Rat through legitimate web -residues compromised Internet Injection JavaScriptwith remote access Trojan that acts as a pipe Steal Theft.
Development comes when ZSCALER described in detail two more malware loaders Nodal bootloader and Trait which was used to spread a wide range of information thefts, miners of cryptocurrencies and malware Botnet programs such as Grape. Break. Feder. Xmrigand Socks5Systemz.
“Riseeloader and Risepro Share several similarities in your network communication protocols, including the structure of messages, the process of initialization and the structure of useful load, “noted.
