Ethical Hacking News
In a surprising twist, cybercriminals have been found exploiting the Eclipse Foundation's legitimate application to distribute malware via ZIP archives. The XLoader malware, a successor to Formbook, has been detected in the wild and is available for sale under a Malware-as-a-Service model. This new threat highlights the need for robust security measures to protect against such threats.
Cybercriminals are exploiting the Eclipse Foundation's jarsigner application to distribute malware via ZIP archives. The malicious campaign uses DLL side-loading technique to load XLoader malware, a successor to Formbook malware. Users should exercise extreme caution when downloading software from unknown sources and verify authenticity before installation. The distribution of malware via ZIP archives highlights the need for robust security measures to protect against such threats. Staying vigilant and taking proactive measures can reduce the risk of falling victim to such attacks.
In a shocking turn of events, cybercriminals have been found to be exploiting the Eclipse Foundation's legitimate application, jarsigner, to distribute malware via ZIP archives. The AhnLab Security Intelligence Center (ASEC) has revealed that the malicious campaign uses the DLL side-loading technique to load the XLoader malware, a successor to the Formbook malware, which was first detected in 2020.
The attack begins when an unsuspecting victim downloads a compressed ZIP archive from a compromised website. The archive includes the legitimate jarsigner.exe binary, along with the tampered jli.dll library and the encrypted concrt140e.dll payload. When "Documents2012.exe" is run, the execution of the jli.dll library triggers the loading of the XLoader malware.
The XLoader malware steals sensitive information such as PC and browser details, and performs various activities including downloading additional malware. The malware also uses hard-coded decoy lists to blend real command-and-control (C2) network communications with traffic to legitimate websites. Both the decoys and real C2 servers are encrypted using different keys and algorithms.
The use of Eclipse jarsigner to distribute malware via ZIP archives is a clever tactic, as it allows hackers to evade detection by relying on a legitimate application associated with the Eclipse Foundation. The fact that jarsigner is a file created during the installation of the IDE package distributed by the Eclipse Foundation adds an extra layer of legitimacy to the attack.
Furthermore, the XLoader malware has introduced techniques similar to those observed in SmokeLoader, including encrypting parts of code at runtime and NTDLL hook evasion. This makes it even more challenging for security researchers to detect and analyze the malware.
The rise of Malware-as-a-Service (MaaS) models has also contributed to the proliferation of malware like XLoader. The fact that XLoader is available for sale to other criminal actors under a MaaS model means that it can be easily distributed and updated, making it a highly effective tool for hackers.
In light of this new threat, cybersecurity experts are urging users to exercise extreme caution when downloading software from the internet. It is essential to verify the authenticity of any software or application before installing it, especially if it has been downloaded from an unknown source.
The distribution of malware via ZIP archives highlights the need for robust security measures to protect against such threats. Users should ensure that their antivirus software is up-to-date and that they are using a reputable security suite that includes tools to detect and block malicious activity.
In conclusion, the exploitation of Eclipse jarsigner by hackers to distribute malware via ZIP archives is a concerning development in the world of cybercrime. It highlights the importance of staying vigilant and taking proactive measures to protect against such threats. By understanding the tactics used by hackers and taking steps to improve our security posture, we can reduce the risk of falling victim to such attacks.
Related Information:
https://thehackernews.com/2025/02/cybercriminals-use-eclipse-jarsigner-to.html
Published: Thu Feb 20 07:44:29 2025 by llama3.2 3B Q4_K_M
