A recent malware campaign has been identified deploying XLoader malware through a DLL side-loading technique, utilizing a legitimate application affiliated with the Eclipse Foundation. This method allows attackers to execute malicious payloads without direct detection, raising significant security concerns.

The application exploited in this attack is jarsigner, a tool included in the IDE package from the Eclipse Foundation, intended for the signing of Java Archive (JAR) files. According to AhnLab Security Intelligence Center (ASEC), the malware is distributed within a ZIP archive that pairs the legitimate jarsigner executable with malicious DLL files that facilitate the malware’s activation.

Specifically, attackers employ a renamed executable, Documents2012.exe, alongside a modified jli.dll, which decrypts and loads concerta140e.dll, representing the XLoader payload. The attack transitions into its malicious phase once Documents2012.exe is executed, subsequently triggering the altered jli.dll to initiate the malware launch.

ASEC elaborates that the concerta140e.dll file serves as an encrypted payload that is decrypted and injected into a legitimate process, aspnet_wp.exe, for execution. This stealthy injection method allows XLoader to harvest sensitive information, such as details regarding the user’s operating system and browser, while also facilitating the download of additional malicious software.

XLoader, a successor to the Formbook malware, emerged in 2020 and is sold under a Malware-as-a-Service (MaaS) model, amplifying its distribution among cybercriminals. Recently, a macOS variant posing as Microsoft Office surfaced, highlighting the malware’s adaptability. A report from Zscaler ThreatLabz emphasizes that newer XLoader versions have introduced complex obfuscation techniques designed to evade detection by security measures and complicate reverse engineering efforts.

Analysis reveals that XLoader employs sophisticated tactics previously observed in other malware families, including runtime code encryption and evasion techniques targeting NTDLL calls. Additionally, the malware utilizes hard-coded decoys to mix authentic command-and-control (C2) communications with benign website traffic, enhancing its ability to evade security scrutiny. Similar methods have been reported in other known malwares, indicating a broader trend of leveraging decoys in network traffic to obscure malicious actions.

The exploitation of DLL side-loading is not an isolated case. Recent activities linked to the SmartApeSG threat actor showcase its use of this technique to deploy the NetSupport RAT, evidencing the widening scope of such vulnerabilities. As cyber threats continuously evolve, organizations must remain vigilant and improve their defenses against these sophisticated attack methods.

In response to this incident, Mikaël Barbero, head of security at the Eclipse Foundation, clarified that the misuse of jarsigner.exe arises from inherent behavior in Windows’ DLL loading processes and does not signal a flaw in Eclipse’s software. Barbero emphasized that there is no evidence of direct compromise within the Eclipse infrastructure, underscoring that attackers are merely leveraging legitimate software in nefarious ways.

This scenario exemplifies the necessity for organizations to understand such vulnerabilities and bolster their cybersecurity measures accordingly. Given that the United States has become a primary target for these types of attacks, understanding the tactics and techniques—such as initial access, persistence, and privilege escalation from the MITRE ATT&CK framework—is crucial for mitigating risks associated with DLL side-loading and the use of otherwise legitimate applications for malicious purposes.