Malware delivered via phishing

A ongoing phishing campaign has infected thousands of home and corporate users with a new version of the 'IceXLoader' malware.

The authors of IceXLoader, a malware loader first spotted in the wild this summer, have released version 3.3.3, enhancing the tool’s functionality and introducing a multi-stage delivery chain.

The discovery of the Nim-based malware came in June 2022 by Fortinet, when IceXLoader was in version 3.0, but the loader was missing key features and generally appeared like a work-in-progress.

Minerva Labs published a new post on Tuesday, warning that the latest version of IceXLoader marks a departure from the project’s beta development stage.

For a malware loader so aggressively promoted on the cybercrime underground, any development of this kind is significant and could lead to a sudden uptick in its deployment.

Current delivery chain

The infection begins with the arrival of a ZIP file via a phishing email containing the first-stage extractor.

The extractor creates a new hidden folder (.tmp) under “C:\Users\<username>\AppData\Local\Temp” and drops the next-stage executable, ‘STOREM~2.exe.’

Then, depending on the extract settings selected by the operator, the infected system may be rebooted, and a new registry key will be added to delete the temp folder when the computer restarts.

The dropped executable is a downloader that fetches a PNG file from a hardcoded URL and converts it into an obfuscated DLL file which is the IceXLoader payload.

After decrypting the payload, the dropper performs checks to ensure it’s not running inside an emulator and waits 35 seconds before executing the malware loader to evade sandboxes.

Finally, IceXLoader is injected into the STOREM~2.exe process using process hollowing.

The complete infection chain
The complete IceXLoader infection chain (Minerva Labs)

New IceXLoader

Upon the first launch, IceXLoader version 3.3.3 copies itself into two directories named after the operator’s nickname and then collects the following information about the host and exfiltrates it to the C2:

  • IP address
  • UUID
  • Username and machine name
  • Windows OS version
  • Installed security products
  • Presence of .NET Framework v2.0 and/or v4.0
  • Hardware information
  • Timestamp

To ensure persistence between reboots, the malware loader also creates a new registry key at “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.”

For evasion, it uses a method of in-memory patching in AMSI.DLL, bypassing the Microsoft Windows Antimalware Scan Interface used by Windows Defender and other security products.

“The loader also creates and executes a .bat file which disables Windows Defender’s real-time scan and also adds exclusions to Windows Defender to prevent it from scanning the directory IceXLoader was copied to.” - Minerva Labs.

PowerShell commands to disable AV and add exemptions
PowerShell commands to disable AV and add exemptions (Minerva Labs)

The commands supported by the loader are the following:

  • Stop execution
  • Collect system info and exfiltrate to C2
  • Display dialog box with specified message
  • Restart IceXLoader
  • Send GET request to download a file and open it with “cmd/ C”
  • Send GET request to download an executable to run it from memory
  • Load and execute a .NET assembly
  • Change C2 server beaconing interval
  • Update IceXLoader
  • Remove all copies from the disk and stop running

Minerva reports that the threat actors behind this campaign aren’t interested in securing the stolen data, as the SQLite database holding stolen information is accessible in the C2 address.

The exposed database contains records corresponding to thousands of victims, containing a mix of home PC and corporate PC infections.

The security researchers have informed the affected companies of the exposure, but the database is updated with new entries daily.

Related Articles:

New Unfurling Hemlock threat actor floods systems with malware

Warmcookie Windows backdoor pushed via fake job offers

Police seize over 100 malware loader servers, arrest four cybercriminals

Banking malware Grandoreiro returns after police disruption

Millions of Docker repos found pushing malware, phishing sites