The new version of the IceXLoader loader has already infected thousands of systems around the world
A phishing campaign distributing the IceXLoader downloader has already affected thousands of home and corporate users, according to Minerva Labs experts. IceXLoader has been updated to version 3.3.3, which has expanded functionality and introduced a multi-stage delivery chain.
Let me remind you that this Nim-based malware was discovered by Fortinet in June 2022. At that time, IceXLoader version 3.0 was distributed over the network, but the loader was missing key features, and in general it looked unfinished. Now, Minerva Labs warns that the latest version of the malware clearly marks the end of the beta test stage.
IceXLoader attacks now start with phishing emails that are accompanied by a ZIP file containing the first phase extractor. This extractor creates a new hidden folder (.tmp) on the victim's machine in C:\Users\<username>\AppData\Local\Temp and downloads the executable file for the next phase of the attack, STOREM~2.exe.
This executable is a loader that extracts a PNG from a hardcoded URL and converts it into an obfuscated DLL file that is the IceXLoader payload.
After decrypting this payload, the dropper performs checks to make sure it's not running inside the emulator and waits 35 seconds before launching the malware loader and bypassing the sandboxes. As a result, IceXLoader is embedded in the STOREM~2.exe process using the process hollowing technique.
The researchers say that when IceXLoader 3.3.3 is first launched, it copies itself into two directories named after the operator's nickname, and then collects the following information about the host and passes it to the control server:
IP address;
UUID;
username and machine name;
Windows OS version;
installed security products;
presence of .NET Framework v2.0 and/or v4.0;
equipment information;
timestamp.
To gain a foothold in the system and maintain presence between reboots, the malware creates a new registry key in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
"The loader also creates and executes a .bat file that disables Windows Defender real-time scanning and is also added to Windows Defender exceptions to prevent scanning of the directory where IceXLoader is copied to," the experts write.
The bootloader currently supports the following commands:
stop execution;
collect information about the system and transfer it to the control server;
show a dialog box with the specified message;
restart IceXLoader;
send a GET request, download the file and open it with cmd/C;
send a GET request to download an executable file in order to run it in memory;
load and execute the .NET assembly;
change the communication interval with the control server;
update IceXLoader
delete all copies from the disk and stop working.
Analysts note that the attackers behind this campaign are clearly not interested in protecting the stolen data, since the SQLite database containing the stolen information is freely available at their C&C server address. The open database contains records of thousands of victims, including both home PCs and corporate machines. Publication from the site: https://xakep.ru/