Cybersecurity researchers from Minerva Labs have discovered a potential threat Malware (Opens in a new tab) A strain written in a relatively new programming language called Neem.
The team warned that an increasing number of threat actors are moving their malware to Nim to better disguise their tools from antivirus solutions and cybersecurity teams.
In this case, Minerva researchers first found IceXLoader in June 2022, when it was considered under development, as many of its core functions were still missing. Now, however, the malware has reached version 3.3.3, comes with quite a few dangerous features, and has already infected “thousands” of Windows devices – both at home and in the office.
When victims download and run IceXLoader (which usually happens after a successful phishing attack), it will do a number of things – from collecting metadata about the target End point (Opens in a new tab) (IP address, device name, OS version, hardware information, etc.), to install a cryptocurrency miner for Monero.
Monero is a popular choice among cybercriminals as it is described as a “privacy currency” which makes tracking of sent tokens nearly impossible.
In general, IceXLoader is a first-stage malware in a multi-stage attack. Additional malware will be dropped to the target endpoint, depending on what threat actors consider most beneficial to each individual device.
Malware is also relatively good at staying hidden. It blocks code, doesn’t run inside a Microsoft Defender emulator, and PowerShell executes with an encrypted request, delaying malware execution by 35 seconds. This way, it can avoid sandboxing as well.
Researchers found the malware’s SQLite database file, and discovered “thousands of victim logs”. They have started notifying these people, it has been added.
While the original version of IceXLoader went for $118 on the dark web, according to recordThe cost of the new version is not yet clear.
Across: record (Opens in a new tab)