Ένα πρόγραμμα φόρτωσης κακόβουλου λογισμικού (malware loader) που τον Ιούνιο χαρακτηριζόταν σαν ένα “project σε εξέλιξη” είναι πλέον πλήρως λειτουργικό και μολύνει χιλιάδες εταιρικούς και οικιακούς υπολογιστές με Windows.
IceXLoader version 3 was discovered over the summer by FortiGuard Labs of Fortinet, which wrote that the malware's capabilities were lacking and appeared to have been ported to the Nim programming language.
However, researchers from Minerva Labs on Tuesday they said that they had found a newer version of IceXLoader – 3.3.3 – that works properly.
IceXLoader collects metadata from the system – such as IP address, username and machine name, Windows version and CPU, GPU and memory information – and sends it to a command and control server (C2) , according to the researchers.
There's a SQLite database of the malware there, and it's constantly being updated. According to the researchers, it "contains thousands of victim files, from private home and corporate computers."
The price of IceXLoader on the dark web was $118 (lifetime license) but at the moment we don't know how much the new version costs.
Malware initially enters systems through phishing. Emails contain a ZIP file that hosts a dropper, which drops a downloader written in .NET. This malware downloads another dropper that decrypts and injects IceXLoader.
IceXLoader directly communicates with the C2 server for further commands and additional malware. According to FortiGuard, IceXLoader version 1.0 was used to distribute the DCRat – or Dark Crystal RAT (a remote access trojan) malware, while version 3.0 distributed a Monero miner.
IceXLoader has a number of features designed to evade detection by Microsoft Defender.
Additionally, the malware is written in Nim – a newer programming language that compiles to C, C++ and JavaScript. Nim has been adopted in recent years by malicious developers trying to make their malicious code difficult to detect.
It's part of a larger trend in recent years where malware developers are turning to newer languages like Go, DLang, Nim and Rust to avoid easy detection.
