A sophisticated malware campaign has been discovered distributing XLoader malware by exploiting the Eclipse Foundation’s legitimate jarsigner application through DLL side-loading techniques. The AhnLab Security Intelligence Center (ASEC) recently uncovered this attack vector.

The attack utilizes a ZIP archive containing:
– Documents2012.exe (renamed jarsigner.exe)
– Modified jli.dll
– concrt140e.dll (XLoader payload)

When executed, the malicious process chain begins with Documents2012.exe, which triggers the modified jli.dll to load XLoader. The payload is then injected into aspnet_wp.exe, enabling the malware to:
– Steal PC and browser information
– Download additional malicious software
– Execute various unauthorized activities

XLoader, which emerged in 2020 as Formbook malware’s successor, operates under a Malware-as-a-Service (MaaS) model. Recent versions (6 and 7) incorporate advanced obfuscation and encryption techniques to evade detection. The malware employs sophisticated methods including:
– Runtime code encryption
– NTDLL hook evasion
– Encrypted C2 communications
– Decoy network traffic to legitimate websites

Security researchers at Zscaler ThreatLabz have also identified connections between XLoader and other malware families, including NodeLoader and RiseLoader, suggesting possible links between threat actors targeting multiple attack vectors.