The new version of Icexloader was discovered by researchers from Minerva Labs. According to them, the name of the malice found in June (V3.0) looked incomplete, but the last find (v3.3.3) is completely efficient.
Icexloader is a harmfulness that is sold on darkweb marketplaces for $ 118. Most often, it is used to deliver and launch additional malware on hacked nodes.
Usually Icexloader is distributed using phishing letters that contain ZIP archives, which are a trigger for the deployment of malicious. Attackers use it to infect the victims of Darkcrystal Rat and crypto -agents.
Usually the attack goes through this scenario:
As soon as the victim opens the ZIP archive, the dropper on the basis of the .NET;
- starts.
Dropper loads a PNG image from a rigidly set URL;
Another dropper converts the image into an array of bytes, which allows it to decipher and introduce Icexloader into a new process.
Like the older version, Icexloader 3.3.3 is written in NIM. The harmfuls are able to collect systemic metadata and send them to the domain controlled by attackers. Dropper can be controlled by commands from the server: restart, remove or stop. But its main feature is the ability to download and perform malicious programs on or without files in memory.
Minerva Labs experts noted that the database of attackers is constantly updated with information about thousands of new victims. Now the company is actively sending notifications about what happened to all affected companies.