Cybersecurity researchers at Minerva Labs have detected a potentially dangerous strain of malware (opens in a new tab) written in a relatively new programming language called Nim.
The team warned that a growing number of malicious actors are transferring their malware to Nim to better hide their tools from antivirus solutions and cybersecurity teams.
In this case, Minerva researchers first discovered IceXLoader in June 2022, when it was considered to be under development, as many of its core features were still missing. Now, however, the malware has reached version 3.3.3, comes with a number of dangerous features, and has already infected "thousands" of Windows devices, at home and in the office.
crypto miners
When victims download and run IceXLoader (which usually occurs after a successful phishing attack), it will do a number of things, from collecting metadata about the target endpoint (opens in a new tab) (IP address, device name , operating system version, hardware information, etc.), up to the installation of a cryptocurrency miner for the Monero coin.
Monero is a popular choice among cybercriminals as it is described as a "private currency" which makes tracking sent tokens virtually impossible.
Generally speaking, IceXLoader is a first-stage malware in a multi-stage attack. It will drop additional malware on the target device, based on what threat actors deem most useful for each individual device.
Malware is also relatively good at staying hidden. It obfuscates code, does not run in the Microsoft Defender emulator, and runs PowerShell with an encrypted request, delaying malware execution by 35 seconds. This way you can also avoid sandboxes.
The researchers found the malware's SQLite database file and discovered "thousands of victim records." They have started notifying these people, it was added.
While the original version of IceXLoader cost €118 on the dark web, according to The Register, the cost of the new version remains to be seen.
Via: The Registry (Opens in a new tab)