HQ/EMEAFind out how we can help your business
A new and improved malware loader called IceXLoader has allegedly compromised over a thousand personal and enterprise Windows devices worldwide.
According to researchers, the IceXLoader malware droppers are a commodity its authors sell for about $118 on black markets and underground forums. Moreover, this loader is accessible even to amateur hackers as the price could provide them with a lifetime subscription.
The researchers also added that its purchasers employed it to download and run additional malware on an infected host. A few months ago, a cybersecurity researcher claimed it uncovered a new version of the malicious entity coded in the Nim programming language to evade detection and analysis.
Based on the investigation, the discovered version was a work-in-progress that looks fully functional and includes a multi-stage delivery chain.
Phishing campaigns are the primary vector for the propagation of the IceXLoader malware.
IceXLoader operators commonly distribute the malware through phishing campaigns via emails containing ZIP files functioning as a trigger to launch the malware. Some hackers have utilised infection chains via IceXLoader to deliver the DarkCrystal RAT and cryptominers.
In a sample attack sequence detailed by the researchers, the ZIP file has been spotted harbouring a dropper, which deploys a [.]net-based downloader that downloads a PNG image from a hard-coded URL.
Subsequently, another dropper converts the image file into an array of bytes that could allow it to decrypt and inject IceXLoader into a new process via a technique called process hollowing.
IceXLoader version 3.3.3 is like its predecessor as it is coded in Nim and can gather system metadata. These capabilities could result in the stolen data’s exfiltration to a remote attacker-controlled domain while waiting for further commands.
Some confirmed commands involve restarting and uninstalling the malware loader and stopping its deployment. However, its primary function is downloading and running next-stage malware on disk or in memory.
Currently, an SQLite database file hosted in the C2 server of the threat actors is being continuously loaded with data regarding thousands of victims worldwide. Therefore, more companies will likely get infected soon.
