Threat actors have been leveraging the legitimate Java Archive file signing tool jarsigner created by installing the Eclipse Foundation's IDE package to facilitate the distribution of the XLoader information-stealing malware as part of a new attack campaign, The Hacker News reports.
Intrusions begin with the spread of a compressed ZIP archive containing a renamed jarsigner.exe file, which when executed prompts the loading of a tampered DLL library and eventual injection of XLoader malware, according to an analysis from the AhnLab Security Intelligence Center. Aside from exfiltrating user device and browser details and other sensitive data, XLoader also allows additional malware delivery, said ASEC researchers. Such findings follow a Zscaler ThreatLabz report detailing the emergence of new XLoader malware variants with more advanced obfuscation and encryption capabilities that circumvent signature-based detection systems. "XLoader has introduced techniques that were previously observed in SmokeLoader, including encrypting parts of code at runtime and NTDLL hook evasion," noted Zscaler ThreatLabz researchers.
