New JinxLoader Targets Users with Formbook and XLoader Malware

New JinxLoader Targets Users with Formbook and XLoader Malware

A new Go-based malware loader called JinxLoader is used by threat actors to deliver next-stage payloads such as Formbook and its successor XLoader.

The revelation comes from cybersecurity companies Palo Alto Networks Unit 42 and Symantec, both of which emphasized multi-step attack sequences that led to the deployment of JinxLoader via phishing attacks.

“The malware is a tribute to the character of League of Legends Accursedwith the character on the advertising poster and [command-and-control] login panel”, Symantec said. “JinxLoader’s primary function is simple: loading malware.”

Unit 42 revealed At the end of November 2023 it was announced that the malware was active first advertised on hackforums[.]net on April 30, 2023, for $60 per month, $120 per year, or for a lifetime fee of $200.

The attacks start with phishing emails impersonating the name Abu Dhabi National Oil Company (ADNOC), urging recipients to open password-protected RAR archive attachments. Opening removes the JinxLoader executable, which then acts as a gateway for Formbook or XLoader.

The development comes as ESET revealed a spike in infections, delivering a new family of upstart loader malware called Rugmi to spread a wide range of information stealers.

It also comes amid a wave of campaigns distributing DarkGate and PikaBot, with a threat actor known as TA544 (aka Narwhal Spider) utilize new variants of loader malware called IDAT Loader to deploy Remcos RAT or SystemBC malware.

Furthermore, so have the threat actors behind the Meduza Stealer issued an updated version of the malware (version 2.2) on the dark web with expanded support for browser-based cryptocurrency wallets and an improved credit card (CC) grabber.

In a sign that stealer malware remains a lucrative market for cybercriminals, researchers have discovered a new stealer family known as Vortex Stealer, capable of stealing browser data, Discord tokens, Telegram sessions, system information, and files smaller than 2 MB. to exfiltrate. in terms of size.

“Stolen information will be archived and uploaded to Gofile or Anonfiles; the malware will also post it to the author’s Discord using webhooks,” Symantec says. said. “It is also able to post to Telegram via a Telegram bot.”

#JinxLoader #Targets #Users #Formbook #XLoader #Malware

Notify of
Inline Feedbacks
View all comments
Previous Post
Crypto Wallet-Draining Attacks

Scam-as-a-Service helps cybercriminals with attacks that drain crypto wallets

Next Post
SSH Protocol Security

A new Terrapin flaw allows attackers to downgrade the security of the SSH protocol

Related Posts