Windows Breaks under upgraded IceXLoader Malware

upnorth

upnorth

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
Content source
https://www.theregister.com/2022/11/10/icexloader_malware_microsoft_users/
A malware loader deemed in June to be a "work in progress" is now fully functional and infecting thousands of Windows corporate and home PCs.

IceXLoader version 3 was discovered in the summer by Fortinet's FortiGuard Labs, which wrote that the malware's features were incomplete and it appeared to have been ported to the Nim programming language. However, researchers with Minerva Labs on Tuesday reported that they had detected a newer iteration of IceXLoader – version 3.3.3 – complete with a multi-stage delivery chain for nasty code. IceXLoader gathers metadata from the system – such as the IP address, username and machine name, Windows version, and information about the CPU, GPU, and memory – and sends it to a command-and-control (C2) server, according to the researchers.

They wrote that the malware's SQLite database file, which is hosted on the C2 server and is continuously being updated, "contained thousands of victim records, which contained "a mix of private home PCs and corporate PCs. We started informing the affected companies after the discovery," it said.
Click to expand...
IceXLoader has a number of features designed to evade detection - including obfuscating the code, not running inside Microsoft Defender's emulator, and executing PowerShell with an encrypted demand to delay executing the malware for 35 seconds to avoid sandboxes. In addition, the malware is written in Nim - a newer programming language that compiles to C, C++, and JavaScript. Nim has been adopted in recent years by threat groups to make their malicious code more difficult to detect. It been used for such malware as the NimzaLoader variant of BazarLoader, used by the notorious TrickBot threat group.
Click to expand...
www.theregister.com

Windows breaks under upgraded IceXLoader malware

We're the malware of Nim!
www.theregister.com www.theregister.com
 
  • Like
  • +Reputation
  • Wow
Reactions: Stenographers, piquiteco, [correlate] and 6 others
You must log in or register to reply here.

Similar threads

silversurfer
    • Like
    • +Reputation
Malware News New Coyote Trojan Targets 61 Brazilian Banks with Nim-Powered Attack
Replies
0
Views
910
Security News
silversurfer
silversurfer
silversurfer
    • Like
Quasar RAT Leverages DLL Side-Loading to Fly Under the Radar
Replies
0
Views
661
News Archive
silversurfer
silversurfer
silversurfer
    • Like
    • +Reputation
QakBot Malware Operators Expand C2 Network with 15 New Servers
Replies
0
Views
917
News Archive
silversurfer
silversurfer

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top