Security News > 2022 > November > Phishing drops IceXLoader malware on thousands of home, corporate devices
A ongoing phishing campaign has infected thousands of home and corporate users with a new version of the 'IceXLoader' malware.
The discovery of the Nim-based malware came in June 2022 by Fortinet, when IceXLoader was in version 3.0, but the loader was missing key features and generally appeared like a work-in-progress.
Minerva Labs published a new post on Tuesday, warning that the latest version of IceXLoader marks a departure from the project's beta development stage.
The dropped executable is a downloader that fetches a PNG file from a hardcoded URL and converts it into an obfuscated DLL file which is the IceXLoader payload. After decrypting the payload, the dropper performs checks to ensure it's not running inside an emulator and waits 35 seconds before executing the malware loader to evade sandboxes.
Upon the first launch, IceXLoader version 3.3.3 copies itself into two directories named after the operator's nickname and then collects the following information about the host and exfiltrates it to the C2:. To ensure persistence between reboots, the malware loader also creates a new registry key at "HKEY CURRENT USERSoftwareMicrosoftWindowsCurrentVersionRun."
The exposed database contains records corresponding to thousands of victims, containing a mix of home PC and corporate PC infections.