Experts Warn of JinxLoader: Loader Used to Spread FormBook and XLoader

Cyber Threat Summary:
Researchers from Palo Alto Networks and Symantec warned of a new Go-based malware loader called JinxLoader, which is being used to deliver next-stage payloads such as Formbook and XLoader. The name of the threat comes from a League of Legends character. Palo Alto Networks’s Unit 42 first observed the malware in November 2023 reporting that it has been advertised on the hacking forum Hackforums since April 30, 2023. The attack spotted by the researchers used phishing messages posing as Abu Dhabi National Oil Company (ADNOC). The content of the messages attempted to trick the recipients into opening a password-protected RAR archive. Once the archive is opened, the infection chain starts leading to the deployment of the JinxLoader payload.

Security Officer Comments:
The author of JinxLoader, a new Go-based malware loader, is selling it for $60 per month or $120 per year, with a lifetime license available for $200. Unit42 researchers identified an eight-step infection chain for JinxLoader, which has been observed in malicious emails delivering threats like FormBook. The malware pays homage to the League of Legends character Jinx and features the character on its ad poster and command-and-control (C2) login panel. Unit42 has published indicators of compromise (IoCs) for this threat.

On Christmas Eve, Resecurity’s HUNTER unit discovered a new version of the Meduza infostealer (2.2) with significant improvements, including support for more software clients, an upgraded credit card grabber, and advanced mechanisms for password storage dump across platforms. Meduza is positioned as a strong competitor to Azorult, Redline, Racoon, and Vidar Stealer, commonly used by cybercriminals for account takeover (ATO), online-banking theft, and financial fraud.

Suggested Correction(s):
As these types of malware are utilized in phishing attacks, it's crucial for organizations to implement robust security measures to prevent such attacks from reaching users' inboxes. Since the malware is available for sale online, accessible to virtually anyone, it is likely to be employed by a wide range of cybercriminals and groups.