Analysis
On 8th November 2022, Minerva labs published a blog on the new version of IceXLoader malware which was actively used in phishing campaigns, this malware was discovered by Fortinet labs last summer, and was written in Nim language.
The malware was dropped as an archived file which contains first stage extractor, the extractor contains next-stage executables, the extractor creates a new .tmp folder and then creates a registry key and set it to “rundll32.exe”, this will delete the .tmp folder when a system is restarted.
Then the downloader storem~2.exe downloads a PNG file which is converted into a byte array, the dll then drops an IceXloader malware which connects to the C&C server and further downloads additional malware.
Prevention
- Use Antivirus or EDR in all endpoints.
- Take regular backups of end devices to reduce the impact of any kind of malware attacks.
Detection
Create rules based on known indicators of malware in the SIEM (Security incident event management) tool for the detection of malware.
MITRE ATT&CK® Techniques
Technique ID | Technique Name |
T1105 | Ingress Tool Transfer |
T1140 | Deobfuscate/Decode Files or Information |
T1620 | Reflective Code Loading |
T1027 | Virtualization/Sandbox Evasion |
T1055.012 | Process Injection: Process Hollowing |
T1592 | Gather Victim Host Information |
T1590.005 | Gather Victim Network Information: IP Addresses |
T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys /Startup Folder |
T1059.001 | Command and Scripting Interpreter: PowerShell |
T1562.001 | Impair Defenses: Disable or Modify Tools |
Indicators of Compromise (IOCs)
Type | Indicator | Description |
SHA256 |
49d6552ae5c5027ce1e68edee2438564b50 ddc384276fd97360c92503771d3ac |
First stage dropper |
SHA256 |
7bb69f98d77ca7609c10b9a0ab1ce32be2e2 6b160413203d5335f65c1bc8ee72 |
Downloader |
SHA256 |
9a9981d9bd10d3e004457ca4509aeb2bd82 8f54213f61b8a547c90e52f0b08eb |
Malware hash (Fcyozgdveenwuzwbrsmfqu.d ll) |
SHA256 |
0911819d0e050ddc5884ea40b4b39a716a7 ef8de0179d0dfded9f043546cede9 |
Malware hash (Opus.exe) |
URL |
hxxps[:]//www.filifilm[.]com.br/images/col ors/purple/Ejvffhop.png – IceXLoader dropper |
IceXLoader dropper URL |
References
Minerva labs