Full Report
Recently, AhnLab SEcurity intelligence Center (ASEC) identified the distribution of XLoader malware using the DLL side-loading technique. The DLL side-loading attack technique saves a normal application and a malicious DLL in the same folder path to enable the malicious DLL to also be executed when the application is run. The legitimate application used in the […] 게시물 XLoader Executed Through JAR Signing Tool (jarsigner.exe)이 ASEC에 처음 등장했습니다.
Analysis Summary
# Tool/Technique: XLoader via DLL Side-loading
## Overview
This summary details the distribution mechanism of **XLoader malware** utilizing the **DLL side-loading technique** against Windows systems. The attack leverages a legitimate executable, `jarsigner.exe` (renamed to `Documents2012.exe`), supplied by the Eclipse Foundation to execute a malicious DLL (`jli.dll`) which subsequently decrypts and injects the core XLoader payload (`concrt140e.dll`) into another legitimate process (`aspnet_wp.exe`) for data exfiltration.
## Technical Details
- Type: Malware Family (XLoader) utilizing a specific Technique (DLL Side-loading)
- Platform: Windows
- Capabilities: DLL side-loading, process injection, malware execution, data theft (PC/browser information), downloading secondary malware.
- First Seen: (Not explicitly stated in the text)
## MITRE ATT&CK Mapping
- **TA0002 - Execution**
- T1204.002 - User Execution: Malicious File
- T1574.001 - Hijack Execution Flow: Path Stand-In (Implied by placement of malicious DLL)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- T1055 - Process Injection
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel (Implied by data theft)
## Functionality
### Core Capabilities
- **DLL Malicious Replacement:** A legitimate application (`jarsigner.exe`, renamed to `Documents2012.exe`) is bundled with malicious DLLs (`jli.dll` and `concrt140e.dll`) in the same directory.
- **Execution Hijacking:** When the legitimate EXE is run, it loads the malicious `jli.dll`. The malicious `jli.dll` has been tampered with to ensure that *all* its export functions resolve to the attacker's code, effectively hijacking standard program calls.
- **Payload Decryption/Injection:** The malicious `jli.dll` decrypts the core payload stored in `concrt140e.dll` (the encrypted XLoader malware).
- **Process Injection:** The decrypted XLoader is injected into the legitimate Windows process `aspnet_wp.exe` for execution.
### Advanced Features
- **Certificate Deception:** Legitimate files included in the distribution possess valid certificates from the Eclipse Foundation, while the malicious DLLs are unsigned, though this difference might be obscured during the initial stages of execution.
- **Payload Obfuscation:** The final XLoader payload is encrypted within `concrt140e.dll`.
## Indicators of Compromise
- File Hashes:
- MD5: `42f5b18d194314f43af6a31d05e96f16`
- MD5: `8e6763e7922215556fa10711e1328e08`
- File Names:
- `jli.dll` (Malicious)
- `concrt140e.dll` (Malicious/Encrypted Payload)
- `Documents2012.exe` (Renamed legitimate `jarsigner.exe`)
- Registry Keys: (Not specified)
- Network Indicators:
- URL: `http[:]//www[.]datarush[.]life/uhtg/` (C2/Download source)
- Behavioral Indicators:
- Execution of an application loads an unsigned, tampered `jli.dll`.
- Injection of code into `aspnet_wp.exe`.
## Associated Threat Actors
- (Not explicitly named, but the malware family used is XLoader.)
## Detection Methods
- Signature-based detection: Known file hashes identified.
- Behavioral detection: Monitoring attempts to inject code into system processes like `aspnet_wp.exe`. Detecting non-standard behavior from legitimate applications like `jarsigner.exe`.
- YARA rules if available: (Not provided in text)
## Mitigation Strategies
- Users should exercise caution when viewing files distributed together with executable files, especially compressed archives.
- Implement robust application control to restrict the execution of unsigned DLLs loading into signed executables.
- Monitor for process injection attacks targeting legitimate Windows processes (`aspnet_wp.exe`).
- Ensure systems only execute digitally signed executables and associated libraries where possible, and verify certificate integrity.
## Related Tools/Techniques
- DLL Side-loading (General technique)
- XLoader (Malware Family)