Minerva Labs Cybersecurity Researchers Discover Potentially Dangerous Malware (opens in new tab) tribe written in a relatively new programming language called Nim.
The team has warned that a growing number of threat actors are porting their malware to Nim in order to better hide their tools from antivirus solutions and cybersecurity teams.
In this case, the Minerva researchers first found IceXLoader in June 2022, when it was considered under development, as many of its core features were still missing. However, now the malware has reached version 3.3.3, contains quite a few dangerous features and has already infected “thousands” of Windows devices – both at home and in the office.
When victims download and run IceXLoader (which usually happens after a successful phishing attack), it will do a number of things – from collecting metadata about the target endpoint (opens in new tab) (IP address, device name, OS version, hardware information, etc.), to install a cryptocurrency miner for the Monero currency.
Monero is a popular choice among cybercriminals as it is described as a “privacy coin”, making tracking of sent tokens virtually impossible.
Overall, IceXLoader is the first malware in a multi-stage attack. It will drop additional malware to the target endpoint, depending on what the threat actors deem most useful for each individual device.
The malware is also relatively good at staying hidden. It obfuscates the code, does not run in the Microsoft Defender emulator, and runs PowerShell with an encrypted query, delaying the malware execution by 35 seconds. That way it can also avoid sandboxes.
The researchers found the malware’s SQLite database file and discovered “thousands of victim records.” They have started notifying these people, it was added.
While the original version of IceXLoader cost $118 on the dark web, as per The registerthe cost of the new version has yet to be considered.
Through: The register (opens in new tab)