Full Report
A malware campaign distributing the XLoader malware has been observed using the DLL side-loading technique by making use of a legitimate application associated with the Eclipse Foundation. "The legitimate application used in the attack, jarsigner, is a file created during the installation of the IDE package distributed by the Eclipse Foundation," the AhnLab SEcurity Intelligence Center (ASEC)
Analysis Summary
# Tool/Technique: XLoader Malware
## Overview
XLoader is an active information stealer and keylogger, considered a successor to the Formbook malware. It is available for purchase under a Malware-as-a-Service (MaaS) model and has variants targeting both Windows and macOS systems. Recent activity shows it being distributed using a DLL side-loading technique leveraging a legitimate application from the Eclipse Foundation.
## Technical Details
- Type: Malware family
- Platform: Windows, macOS
- Capabilities: Information stealing (PC and browser data), keylogging, downloading additional malware, runtime code encryption, C2 traffic obfuscation.
- First Seen: 2020
## MITRE ATT&CK Mapping
*Note: Mappings are derived from the general description of XLoader capabilities and the observed distribution technique.*
- **TA0003 - Persistence**
- T1574 - Hijack Execution Flow
- **T1574.002 - DLL Side-Loading** (Observed in recent distribution method)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Versions 6 & 7 show increased obfuscation/encryption)
- T1140 - Deobfuscate/Decode Files or Information
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol (In conjunction with traffic blending/decoys)
## Functionality
### Core Capabilities
- Stealing sensitive information, including user PC and browser details.
- Keylogging functionality.
- Downloading and executing secondary malware payloads.
- Operating on a Malware-as-a-Service (MaaS) sales model.
### Advanced Features
- **Advanced Evasion (Versions 6 & 7):** Incorporates additional obfuscation and encryption layers to defeat signature-based detection and complicate reverse engineering.
- **Technique Adoption:** Utilizes techniques previously seen in SmokeLoader, such as encrypting code segments at runtime.
- **NTDLL Hook Evasion:** Implements methods to evade detection via NTDLL hooks.
- **C2 Traffic Blending:** Employs hard-coded decoy lists to mix legitimate website traffic with command-and-control communications, using different encryption keys/algorithms for decoys and true C2 servers.
## Indicators of Compromise
*Note: Specific indicators for the current campaign distribution are provided below, derived from the technique used.*
- File Hashes: [Not provided in context]
- File Names: `Documents2012.exe` (Renamed `jarsigner.exe`), `jli.dll` (Modified sideloaded DLL), `concrt140e.dll` (Encrypted XLoader payload)
- Registry Keys: [Not provided in context]
- Network Indicators: [C2 servers are encrypted and blended with legitimate traffic; specific contemporary C2s are not listed.]
- Behavioral Indicators: Execution of `Documents2012.exe` leads to the loading of the manipulated `jli.dll`, which subsequently decrypts and injects the payload (`concrt140e.dll`) into the legitimate Windows process `aspnet_wp.exe`.
## Associated Threat Actors
- Unspecified threat actors operating the XLoader MaaS platform.
## Detection Methods
- Signature-based detection (Challenged by new obfuscation layers in newer variants).
- Behavioral detection focusing on DLL loading anomalies and process injection into `aspnet_wp.exe`.
- Monitoring for runtime decryption of code segments.
## Mitigation Strategies
- **Application Control:** Restrict execution of unsigned or unexpected binaries from legitimate application directories.
- **Endpoint Protection:** Employ advanced endpoint detection and response (EDR) capable of detecting process injection techniques (e.g., injection into `aspnet_wp.exe`).
- **Network Monitoring:** Implement traffic analysis to detect anomalous communication patterns or traffic blends that deviate from established baseline behaviors, even when communicating with known legitimate domains.
- **Patch Management:** Ensure all software, especially IDEs or development tools (like Eclipse components), are kept up to date to prevent misuse of legitimate binaries.
## Related Tools/Techniques
- **Technique:** DLL Side-Loading (T1574.002)
- **Predecessor Malware:** Formbook
- **Similar Techniques/Tooling Observed In:** SmokeLoader
- **Malware Families Using DLL Side-Loading:** SmartApeSG (used to deliver NetSupport RAT/StealC)
- **Other Loaders Mentioned:** NodeLoader, RiseLoader (Distributing Vidar, Lumma, Phemedrone, XMRig, Socks5Systemz)
***
# Tool/Technique: DLL Side-Loading (T1574.002)
## Overview
DLL Side-Loading is an execution flow hijacking technique where a legitimate, signed executable is tricked into loading a malicious or intentionally modified Dynamic Link Library (DLL) instead of its intended DLL. This method is used to gain initial execution while maintaining a veneer of legitimacy, as the process appears to originate from a known, trusted file.
## Technical Details
- Type: Technique
- Platform: Windows (Primarily, as detailed by the context)
- Capabilities: Bypassing application whitelisting, execution under the context of a legitimate signed binary, hiding malicious code execution.
- First Seen: [N/A - established technique]
## MITRE ATT&CK Mapping
- **TA0003 - Persistence**
- **T1574 - Hijack Execution Flow**
- **T1574.002 - DLL Side-Loading**
## Functionality
### Core Capabilities
- Forcing a legitimate executable (e.g., `jarsigner.exe` disguised as `Documents2012.exe`) to load a malicious DLL (e.g., the modified `jli.dll`).
- Ensuring subsequent execution runs under the privileges and trust level of the legitimate parent process.
### Advanced Features
- **Chain Loading:** In the XLoader example, the initial malicious DLL (`jli.dll`) is used to decrypt and load a secondary payload DLL (`concrt140e.dll`), which is then injected into another process (`aspnet_wp.exe`).
## Indicators of Compromise
- **Behavioral Indicators:** Observing a legitimate executable dynamically loading a non-standard, suspicious, or relative path DLL (e.g., loading `jli.dll` or `concrt140e.dll` from unexpected locations).
- **Process Behavior:** Monitoring the legitimate application (`jarsigner.exe` or its dropper/renamed counterpart) initiating process injection into unrelated system processes like `aspnet_wp.exe`.
## Associated Threat Actors
- Unspecified threat actors deploying XLoader.
- SmartApeSG (used this technique to deliver NetSupport RAT).
## Detection Methods
- **Process Monitoring:** Monitoring for unusual parent-child relationships or dynamic loading behavior of DLLs from non-standard binary paths.
- **API Hooking:** Detecting suspicious calls related to process injection or memory modification following DLL load events.
## Mitigation Strategies
- **Application Whitelisting:** Strictly enforce application control policies that only allow trusted, known-good applications to execute, and verify the integrity of associated DLLs.
- **Binary Integrity Checks:** Validate the digital signature and location of DLLs loaded by system executables.
- **Principle of Least Privilege:** Running legitimate applications with the lowest necessary privileges to restrict the impact of a successful side-load attack.
## Related Tools/Techniques
- XLoader Malware
- NetSupport RAT / StealC delivery chains