Security experts have uncovered a new threat in the cyber landscape—JinxLoader. This Go-based malware loader, named after the popular League of Legends character Jinx, has gained notoriety for its role in delivering subsequent payloads, including Formbook and its successor, XLoader.
The researcher shed light on the intricate attack vectors employed by threat actors to propagate JinxLoader. These involve multi-step sequences initiated through phishing attacks. Symantec noted that the malware pays homage to its namesake by featuring the League of Legends character on its advertising poster and command-and-control (C&C) login panel. JinxLoader’s primary function is succinct yet potent—it serves as a loader for other malware.
The researcher disclosed that the malware service was initially advertised on hackforums[.]net on April 30, 2023, with a pricing model offering monthly, yearly, or lifetime subscriptions at $60, $120, and $200, respectively.
The attack methodology involves phishing emails posing as communications from the Abu Dhabi National Oil Company (ADNOC). These emails coerce recipients into opening password-protected RAR archive attachments. Upon opening, the JinxLoader executable is dropped, acting as a gateway for the subsequent deployment of Formbook or XLoader.
This discovery comes amidst a backdrop of escalating cyber threats, including a surge in infections associated with Rugmi, a novice loader malware family identified by ESET. Concurrently, campaigns distributing DarkGate and PikaBot have intensified, while threat actors, such as TA544 (Narwal Spider), leverage new variants of loader malware like IDAT Loader to deploy Remcos RAT or SystemBC malware.
Further complicating the cybersecurity landscape is the release of an updated version (2.2) of the Meduza Stealer on the dark web. This updated version expands support for browser-based cryptocurrency wallets and enhances its credit card (CC) grabber functionality.
Highlighting the lucrative nature of stealer malware, researchers have unearthed a new family called Vortex Stealer. This particular malware is adept at exfiltrating browser data, Discord tokens, Telegram sessions, system information, and files under 2 MB in size. Stolen information is meticulously archived, uploaded to Gofile or Anonfiles, and even posted on the author’s Discord through webhooks.
To thwart JinxLoader and its malicious payloads, bolster your organization’s cybersecurity defenses. Prioritize employee awareness through phishing awareness training, emphasizing caution with email attachments. Regularly update and patch software to address vulnerabilities exploited by malware. The user also can implement robust endpoint protection and employ advanced threat detection mechanisms to identify and neutralize JinxLoader and its associated threats proactively.
