A new malware variant known as “IceXLoader” has infected thousands of residential and business users due to an ongoing phishing operation. Version 3.3.3 of IceXLoader, a malware loader initially discovered in the open last summer, has been released by the tool’s creators, who have also added a multi-stage distribution chain and improved functionality.
When Fortinet discovered the Nim-based malware in June 2022, IceXLoader was at version 3.0, but it lacked certain essential functionality and looked like it was still under development. The most recent IceXLoader version, Minerva Labs said in a blog post on Tuesday, indicates a break from the project’s beta development phase. Any breakthrough of this sort is noteworthy and can cause a dramatic increase in the deployment of the malware loader, which has been vigorously marketed in the cybercrime underground.
The infection starts when a ZIP file containing the first-stage extractor is delivered via a phishing email. The extractor dumps the next-stage executable, “STOREM~2.exe,” into a new hidden folder (.tmp) under “C:\Users\<username>\AppData\Local\Temp.” The infected system may then be rebooted, and a new registry key will be inserted to erase the temporary folder when the machine restarts, depending on the extract settings chosen by the operator.
The downloaded file is converted into an obfuscated DLL file, the IceXLoader payload, by the dropped executable downloader, which also acquires a PNG file from a hardcoded URL. In order to avoid sandboxes, the dropper first decrypts the payload, checks to make sure it isn’t operating within an emulator, and then waits 35 seconds before launching the malware loader. Process hollowing is then used to inject IceXLoader into the STOREM~2.exe process.
Upon the initial launch, IceXLoader 3.3.3 copies itself into two folders with the operator’s nicknames and then gathers and exfiltrates the following host data to the C2:
- IP address
- Username and machine name
- UUID
- Installed security products
- Windows OS version
- Timestamp
- Hardware information
- Presence of .NET Framework v2.0 and/or v4.0
The malware loader also adds a new registry key at “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run” to guarantee persistence across reboots. It circumvents the Microsoft Windows Antimalware Scan Interface employed by Windows Defender and other security programs using an in-memory patching technique in AMSI.DLL.
“The loader also creates and executes a .bat file which disables Windows Defender’s real-time scan and also adds exclusions to Windows Defender to prevent it from scanning the directory IceXLoader was copied to.” – Minerva Labs.
The loader supports the following commands:
- Stop execution
- Restart IceXLoader
- Update IceXLoader
- Change C2 server beaconing interval
- Collect system info and exfiltrate to C2
- Display dialog box with specified message
- Load and execute a .NET assembly
- Send a GET request to download a file and open it with “cmd/ C”
- Send a GET request to download an executable to run it from memory
- Remove all copies from the disk and stop running
Since the SQLite database containing the stolen data is available at the C2 location, Minerva claims that the threat actors behind this effort aren’t concerned with protecting the information taken. The disclosed database has records for thousands of victims, with a mix of infections from personal computers and business computers. Although the security experts have notified the exposed firms, the database is constantly updated with new entries.