icexloader-malware

Analysis

On 8th November 2022, Minerva labs published a blog on the new version of IceXLoader malware which was actively used in phishing campaigns, this malware was discovered by Fortinet labs last summer, and was written in Nim language.

The malware was dropped as an archived file which contains first stage extractor, the extractor contains next-stage executables, the extractor creates a new .tmp folder and then creates a registry key and set it to “rundll32.exe”, this will delete the .tmp folder when a system is restarted.

Then the downloader storem~2.exe downloads a PNG file which is converted into a byte array, the dll then drops an IceXloader malware which connects to the C&C server and further downloads additional malware.

Prevention

  • Use Antivirus or EDR in all endpoints.
  • Take regular backups of end devices to reduce the impact of any kind of malware attacks.

Detection

Create rules based on known indicators of malware in the SIEM (Security incident event management) tool for the detection of malware.

MITRE ATT&CK® Techniques

Technique ID Technique Name
T1105 Ingress Tool Transfer
T1140 Deobfuscate/Decode Files or Information
T1620 Reflective Code Loading
T1027 Virtualization/Sandbox Evasion
T1055.012 Process Injection: Process Hollowing
T1592 Gather Victim Host Information
T1590.005 Gather Victim Network Information: IP Addresses
T1547.001 Boot or Logon Autostart Execution: Registry Run Keys /Startup Folder
T1059.001  Command and Scripting Interpreter: PowerShell
T1562.001 Impair Defenses: Disable or Modify Tools

 

Indicators of Compromise (IOCs)

Type Indicator Description
SHA256

49d6552ae5c5027ce1e68edee2438564b50

ddc384276fd97360c92503771d3ac

First stage dropper
SHA256

7bb69f98d77ca7609c10b9a0ab1ce32be2e2

6b160413203d5335f65c1bc8ee72

Downloader
SHA256

9a9981d9bd10d3e004457ca4509aeb2bd82

8f54213f61b8a547c90e52f0b08eb

Malware hash

(Fcyozgdveenwuzwbrsmfqu.d

ll)

SHA256

0911819d0e050ddc5884ea40b4b39a716a7

ef8de0179d0dfded9f043546cede9

Malware hash (Opus.exe)
URL

hxxps[:]//www.filifilm[.]com.br/images/col

ors/purple/Ejvffhop.png – IceXLoader

dropper

IceXLoader dropper URL

 

References

Minerva labs

 

Get in touch

Send us a Message

Looking for general information or have a specific question. Fill the form below or drop
us a line at susan@positka.com.

Enquiry Now