Skip links

Windows breaks under upgraded IceXLoader malware

A malware loader deemed in June to be a “work in progress” is now fully functional and infecting thousands of Windows corporate and home PCs.

IceXLoader version 3 was discovered in the summer by Fortinet’s FortiGuard Labs, which wrote that the malware’s features were incomplete and it appeared to have been ported to the Nim programming language.

However, researchers with Minerva Labs on Tuesday reported that they had detected a newer iteration of IceXLoader – version 3.3.3 – complete with a multi-stage delivery chain for nasty code.

IceXLoader gathers metadata from the system – such as the IP address, username and machine name, Windows version, and information about the CPU, GPU, and memory – and sends it to a command-and-control (C2) server, according to the researchers.

They wrote that the malware’s SQLite database file, which is hosted on the C2 server and is continuously being updated, “contained thousands of victim records, which contained “a mix of private home PCs and corporate PCs. We started informing the affected companies after the discovery,” it said

IceXLoader was originally sold on the dark web for $118 per lifetime license by a group of developers that also sells other commodity malware and claims to have more than 200 clients, FortiGuard wrote. What the new version will be worth to criminals is yet to be seen.

The malware initially gets into systems via phishing campaigns. The emails contain a ZIP file which houses a dropper, which drops a .NET-based downloader. That malware downloads another dropper that decrypts and injects IceXLoader into a new process.

IceXLoader contacts the C2 server for further orders and additional malware can be deployed to the compromised system. According to FortiGuard, version 1.0 of IceXLoader was used to distribute the DCRat – or Dark Crystal RAT (remote access trojan) – data exfiltration malware while version 3.0 distributed a Monero cryptocurrency miner.

IceXLoader has a number of features designed to evade detection – including obfuscating the code, not running inside Microsoft Defender’s emulator, and executing PowerShell with an encrypted demand to delay executing the malware for 35 seconds to avoid sandboxes.

In addition, the malware is written in Nim – a newer programming language that compiles to C, C++, and JavaScript. Nim has been adopted in recent years by threat groups to make their malicious code more difficult to detect. It been used for such malware as the NimzaLoader variant of BazarLoader, used by the notorious TrickBot threat group.

It’s part of a larger trend over the past several years of malware developers turning to newer languages like Go, DLang, Nim, and Rust to dodgy easy detection.

“The [IceXLoader] developers market their loader as FUD (Fully UnDetected), a common term used within malware hacking forums to denote malware that can bypass antivirus products,” FortiGuard researchers wrote. “They also claim that they will continuously update it as security products eventually detect such malware.”

The need to remain undetected likely convinced the malware’s developers to transition IceXLoader from AutoID in earlier versions to Nim for version 3 “since Nim is a relatively uncommon language for applications to be written in,” they wrote. ®