XLoader Executed Through JAR Signing Tool (jarsigner.exe)
Recently, AhnLab SEcurity intelligence Center (ASEC) identified the distribution of XLoader malware using the DLL side-loading technique. The DLL side-loading attack technique saves a normal application and a malicious DLL in the same folder path to enable the malicious DLL to also be executed when the application is run. The legitimate application used in the attack, jarsigner, is a file created during the installation of the IDE package distributed by the Eclipse Foundation. It is a tool for signing JAR (Java Archive) files.
According to the findings, the distributed file is spread in the form of a compressed file, containing a legitimate EXE file and a malicious DLL file. Among these, only the two files “jli.dll” and “concrt140e.dll” are malicious.
Figure 1. Files inside the compressed file
Most of the legitimate files shown in Figure 1 contain a valid certificate from the Eclipse Foundation, but the two malicious files are not signed.
– jli.dll: A DLL file tampered by the threat actor that performs decryption and injection of concrt140e.dll
– concrt140e.dll: Encrypted payload (XLoader malware)
– Documents2012.exe: Renamed legitimate file (jarsigner.exe)
Figure 2. Certificate signed on legitimate file
The Documents2012.exe file loads jli.dll and uses export functions, but unlike the legitimate jli.dll, the malicious jli.dll has the same address for all export functions. Therefore, when any function of the loaded malicious jli.dll is called, the threat actor’s function is executed.
Figure 3. Comparison of export function lists: legitimate jli.dll vs. malicious jli.dll
The distributed concrt140e.dll file is an encrypted payload that is decrypted during the attack process and injected into the legitimate file aspnet_wp.exe for execution. The injected malware, XLoader, steals sensitive information such as the user’s PC and browser information, and performs various activities such as downloading additional malware.
As such, threat actors distribute files to execute malicious DLLs through legitimate EXE files, so users should be cautious of files distributed together with executable files.
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
