On 8th November 2022, Minerva labs published a blog on the new version of IceXLoader malware which was actively used in phishing campaigns, this malware was discovered by Fortinet labs last summer, and was written in Nim language.
The malware was dropped as an archived file which contains first stage extractor, the extractor contains next-stage executables, the extractor creates a new .tmp folder and then creates a registry key and set it to “rundll32.exe”, this will delete the .tmp folder when a system is restarted.
Then the downloader storem~2.exe downloads a PNG file which is converted into a byte array, the dll then drops an IceXloader malware which connects to the C&C server and further downloads additional malware.
- Use Antivirus or EDR in all endpoints.
- Take regular backups of end devices to reduce the impact of any kind of malware attacks.
Create rules based on known indicators of malware in the SIEM (Security incident event management) tool for the detection of malware.
MITRE ATT&CK® Techniques
|Technique ID||Technique Name|
|T1105||Ingress Tool Transfer|
|T1140||Deobfuscate/Decode Files or Information|
|T1620||Reflective Code Loading|
|T1055.012||Process Injection: Process Hollowing|
|T1592||Gather Victim Host Information|
|T1590.005||Gather Victim Network Information: IP Addresses|
|T1547.001||Boot or Logon Autostart Execution: Registry Run Keys /Startup Folder|
|T1059.001||Command and Scripting Interpreter: PowerShell|
|T1562.001||Impair Defenses: Disable or Modify Tools|
Indicators of Compromise (IOCs)
|First stage dropper|
|Malware hash (Opus.exe)|
ors/purple/Ejvffhop.png – IceXLoader
|IceXLoader dropper URL|