Threat actors have been observed exploiting the legitimate Java Archive (JAR) signing tool jarsigner.exe to deploy the notorious XLoader malware, according to recent findings from the AhnLab Security Intelligence Center (ASEC). While the researchers at ASEC noted that the legitimate executable bears a valid digital certificate from the Eclipse Foundation, the DLLs lack proper signatures, enabling threat actors to hijack the application’s execution flow. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The campaign specifically targets developers and organizations using Eclipse Foundation’s Integrated Development Environment (IDE) tools, highlighting the growing trend of abusing trusted software ecosystems for malicious purposes. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. The decrypted XLoader malware employs process hollowing to inject itself into aspnet_wp.exe, a legitimate Windows process associated with .NET framework applications. This attack leverages DLL side-loading techniques to bypass security measures, marking a significant evolution in malware distribution strategies. All 31 export functions in the malicious jli.dll resolve to the same memory address (0x70450), creating a unified execution gateway for the attacker’s payload. The above figure illustrates the attack package’s structure, showing the coexistence of legitimate and malicious components within the same directory. Tushar is a Cyber security content editor with a passion for creating captivating and informative content.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 20 Feb 2025 01:00:13 +0000