A new phishing campaign has been detected that is being used to distribute a relatively new malware threat called IceXLoader. The malware was first identified in the summer and is being actively developed, with version 3.3 of the malware being distributed in the latest campaign. The malware appears to be a work in progress, with the latest version of the malware having enhanced functionality and a new method of installation is now being used. While it has only been distributed for a few months, it already represents a significant threat.
As the name suggests, IceXLoader is a malware dropper that is designed to deploy additional malicious payloads on infected devices. This could include additional tools to help the operators of the malware achieve their aims or it could be offered to a range of threat actors under the malware-as-a-service model for delivering information stealers, ransomware, and other malicious payloads. The malware was first identified by researchers at Fortinet, who named the malware IceXLoader due to the presence of ICE_X strings in samples of the malware code.
The malware is delivered via phishing emails with a .zip compressed file attachment, which contains the first stage extractor. If allowed to run, this will create a new hidden folder in C:\Users\<username>\AppData\Local\Temp, and will then drop and execute the second stage executable file, which creates a new registry key and deletes the temporary folder. The second stage executable downloads a PNG file from a hardcoded URL, and converts it into an obfuscated DLL file, which is IceXLoader. The dropper will perform checks to see if it is running in a virtual environment and will wait 35 seconds before executing IceXLoader to avoid sandbox detection. IceXLoader will collect a variety of information about its host, will connect to its command-and-control server and exfiltrate that information, and will then drop additional malicious payloads.
The malware is capable of evading Windows Defender and other anti-malware programs to prevent scanning of the folder where IceXLoader resides. Researchers at Minerva Labs note that the exfiltrated data is freely accessible on the C2 server, so the threat actors are currently not interested in securing the stolen data.
Due to the ability of the malware to evade traditional antivirus software solutions, the key to blocking this threat is implement next-generation endpoint detection solutions that are able to identify malware by their behavior, and ensure that strong, multi-layered anti phishing defenses are implemented to block the initial phishing emails, including an advanced spam filter for blocking the email and web filtering technology to prevent downloads of malicious files from the Internet.
It is also important not to neglect the human element of defenses. Security awareness training for the workforce will go a long way toward preventing these and other email-based attacks from succeeding, by teaching employees email security best practices.