In a recent discovery, the AhnLab Security Intelligence Center (ASEC) identified the use of the DLL side-loading technique to distribute the XLoader malware through a legitimate tool, jarsigner.exe.
Jarsigner is a utility provided by the Eclipse Foundation for signing Java Archive (JAR) files, commonly included in Integrated Development Environment (IDE) packages.
This attack method involves placing a legitimate application alongside malicious DLL files in the same directory, enabling the execution of the malicious payload when the application is launched.
Malicious DLL Side-Loading Technique Exploited
The attackers distribute a compressed file containing three components: a renamed legitimate executable file (Documents2012.exe, originally jarsigner.exe), and two malicious DLL files jli.dll and concrt140e.dll.
While the legitimate executable bears a valid certificate from the Eclipse Foundation, the malicious DLLs are unsigned.
Malicious Payload Execution
The attack begins when Documents2012.exe is executed. This file loads jli.dll, which has been tampered with by threat actors.
Unlike its legitimate counterpart, all export functions in the malicious jli.dll point to the same address, ensuring that any function call triggers the attacker’s code.
According to ASEC, this malicious DLL decrypts and injects concrt140e.dll, which serves as an encrypted payload containing XLoader malware.
Once injected into a legitimate process, such as aspnet_wp.exe, XLoader executes its malicious activities.
These include stealing sensitive information such as user credentials, browser data, and system details.
Additionally, it can download and execute further malware on the compromised system.
This campaign highlights how attackers leverage trusted tools like jarsigner.exe to evade detection and exploit user trust.
The use of valid certificates for legitimate files further complicates identification of malicious activity.
Users are advised to exercise caution when handling compressed files containing executable files and accompanying DLLs, especially if they originate from unverified sources.
Organizations should implement robust endpoint protection solutions capable of detecting DLL side-loading techniques.
Regular updates to antivirus definitions and monitoring for unusual process behaviors can help mitigate such threats.
Moreover, subscribing to threat intelligence platforms like AhnLab TIP can provide access to detailed Indicators of Compromise (IOCs) and analysis for proactive defense against evolving threats.
By exploiting legitimate tools for their attacks, cybercriminals continue to refine their methods, underscoring the need for vigilance in cybersecurity practices.
