A recent malware campaign has been identified that leverages DLL side-loading through the legitimate application jarsigner from the Eclipse Foundation. The XLoader malware operates by executing a modified version of this tool, which facilitates the transfer of encrypted payloads that steal sensitive information from victims. The XLoader variant has advanced obfuscation techniques, making detection harder. Originally documented in 2020, it is marketed under a MaaS model, showing the evolving nature of cyber threats.
The legitimate application used in the attack, jarsigner, is a file created during the installation of the IDE package distributed by the Eclipse Foundation.
The distributed concrt140e.dll file is an encrypted payload that is decrypted during the attack process and injected into the legitimate file aspnet_wp.exe for execution.
XLoader versions 6 and 7 include additional obfuscation and encryption layers meant to protect critical code and information to defeat signature-based detection.
XLoader, a successor to Formbook malware, steals sensitive information and is available for sale under a Malware-as-a-Service model.
Collection
[
|
...
]