New Version of IceXLoader Malware Infected Thousands of Systems around the World

New version of IceXLoader loader
Written by William Reddy

A phishing campaign distributing the IceXLoader downloader has already affected thousands of home and corporate users, according to Minerva Labs experts.

IceXLoader has been updated to version 3.3.3, which has expanded functionality and introduced a multi-stage delivery chain.

We also wrote, for example, that New BlackLotus UEFI Bootkit Is for Sale on Hacker Forums, and also that Researchers Found an Adware Malware Downloaded More Than 13 million Times on Google Play and the App Store.

Let me remind you that this Nim-based malware was discovered by Fortinet in June 2022. At that time, IceXLoader version 3.0 was distributed over the network, but the loader was missing key features, and in general it looked unfinished. Now, Minerva Labs warns that the latest version of the malware clearly marks the end of the beta test stage.

IceXLoader attacks now start with phishing emails that are accompanied by a ZIP file containing the first phase extractor. This extractor creates a new hidden folder (.tmp) on the victim’s machine in C:\Users\\AppData\Local\Temp and downloads the executable file for the next phase of the attack, STOREM~2.exe.

This executable is a loader that extracts a PNG from a hardcoded URL and converts it into an obfuscated DLL file that is the IceXLoader payload.

After decrypting this payload, the dropper performs checks to make sure it’s not running inside the emulator and waits 35 seconds before launching the malware loader and bypassing the sandboxes. As a result, IceXLoader is embedded in the STOREM~2.exe process using the process hollowing technique.

New version of IceXLoader loader
Scheme of the Attack

The researchers say that when IceXLoader 3.3.3 is first launched, it copies itself into two directories named after the operator’s nickname, and then collects the following information about the host and passes it to the control server:

  1. IP address;
  2. UUID;
  3. username and machine name;
  4. Windows OS version;
  5. installed security products;
  6. presence of .NET Framework v2.0 and/or v4.0;
  7. equipment information;
  8. timestamp.

To gain a foothold in the system and maintain presence between reboots, the malware creates a new registry key in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.

The loader also creates and executes a .bat file that disables Windows Defender real-time scanning and is also added to Windows Defender exceptions to prevent scanning of the directory where IceXLoader is copied to.the experts write.

By the way, the well-known malware Zloader Trojan does the same.

The bootloader currently supports the following commands:

  1. stop execution;
  2. collect information about the system and transfer it to the control server;
  3. show a dialog box with the specified message;
  4. restart IceXLoader;
  5. send a GET request, download the file and open it with cmd/C;
  6. send a GET request to download an executable file in order to run it in memory;
  7. load and execute the .NET assembly;
  8. change the communication interval with the control server;
  9. update IceXLoader;
  10. delete all copies from the disk and stop working.

Analysts note that the attackers behind this campaign are clearly not interested in protecting the stolen data, since the SQLite database containing the stolen information is freely available at their C&C server address. The open database contains records of thousands of victims, including both home PCs and corporate machines.

About the author

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several months after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master's degree in cybersecurity, I've started working as a virus analyst in a little anti-malware vendor.

Leave a Comment