Jump to content
  • Phishing drops IceXLoader malware on thousands of home, corporate devices

    alf9872000

    • 355 views
    • 4 minutes
     Share


    • 355 views
    • 4 minutes

    A ongoing phishing campaign has infected thousands of home and corporate users with a new version of the 'IceXLoader' malware.

     

    The authors of IceXLoader, a malware loader first spotted in the wild this summer, have released version 3.3.3, enhancing the tool’s functionality and introducing a multi-stage delivery chain.

     

    The discovery of the Nim-based malware came in June 2022 by Fortinet, when IceXLoader was in version 3.0, but the loader was missing key features and generally appeared like a work-in-progress.

     

    Minerva Labs published a new post on Tuesday, warning that the latest version of IceXLoader marks a departure from the project’s beta development stage.

     

    For a malware loader so aggressively promoted on the cybercrime underground, any development of this kind is significant and could lead to a sudden uptick in its deployment.

    Current delivery chain

    The infection begins with the arrival of a ZIP file via a phishing email containing the first-stage extractor.

     

    The extractor creates a new hidden folder (.tmp) under “C:\Users\<username>\AppData\Local\Temp” and drops the next-stage executable, ‘STOREM~2.exe.’

     

    Then, depending on the extract settings selected by the operator, the infected system may be rebooted, and a new registry key will be added to delete the temp folder when the computer restarts.

     

    The dropped executable is a downloader that fetches a PNG file from a hardcoded URL and converts it into an obfuscated DLL file which is the IceXLoader payload.

     

    After decrypting the payload, the dropper performs checks to ensure it’s not running inside an emulator and waits 35 seconds before executing the malware loader to evade sandboxes.

     

    Finally, IceXLoader is injected into the STOREM~2.exe process using process hollowing.

     

    chain(2).png
    The complete IceXLoader infection chain (Minerva Labs)

    New IceXLoader

    Upon the first launch, IceXLoader version 3.3.3 copies itself into two directories named after the operator’s nickname and then collects the following information about the host and exfiltrates it to the C2:

    • IP address
    • UUID
    • Username and machine name
    • Windows OS version
    • Installed security products
    • Presence of .NET Framework v2.0 and/or v4.0
    • Hardware information
    • Timestamp

     

    To ensure persistence between reboots, the malware loader also creates a new registry key at “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.”

     

    For evasion, it uses a method of in-memory patching in AMSI.DLL, bypassing the Microsoft Windows Antimalware Scan Interface used by Windows Defender and other security products.

     

    “The loader also creates and executes a .bat file which disables Windows Defender’s real-time scan and also adds exclusions to Windows Defender to prevent it from scanning the directory IceXLoader was copied to.” - Minerva Labs.

     

    powershell(8).png
    PowerShell commands to disable AV and add exemptions (Minerva Labs)
     

    The commands supported by the loader are the following:

    • Stop execution
    • Collect system info and exfiltrate to C2
    • Display dialog box with specified message
    • Restart IceXLoader
    • Send GET request to download a file and open it with “cmd/ C”
    • Send GET request to download an executable to run it from memory
    • Load and execute a .NET assembly
    • Change C2 server beaconing interval
    • Update IceXLoader
    • Remove all copies from the disk and stop running

     

    Minerva reports that the threat actors behind this campaign aren’t interested in securing the stolen data, as the SQLite database holding stolen information is accessible in the C2 address.

     

    The exposed database contains records corresponding to thousands of victims, containing a mix of home PC and corporate PC infections.

     

    The security researchers have informed the affected companies of the exposure, but the database is updated with new entries daily.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...