IceXLoader Makes an Impact After the Latest Update

Category: Malware Campaign | Industry: Global | Level: Tactical | Source: Minerva Labs

Minerva Lab researchers have identified increased infections with commercial malware, IceXLoader after its update to version 3.3.3. A zip file delivers the first stage dropper to create a Temp folder for IceXLoader's dropper and an entry in the Run registry after the system reboots to delete the Temp folder. The dropper file is responsible for decrypting IceXLoader when downloaded, running checks to ensure the malware isn't running in a virtual machine, and injecting IceXLoader into a new process. With IceXLoader running, information is collected on the host to identify the system and network specifications. Additionally, the malware creates persistence for itself in the Run registry and is capable of bypassing AMSI (Antimalware Scan Interface) protection "by overwriting (patching) the AmsiScanBuffer API (which scans the user-input) in memory." After evading defenses IceXLoader creates a bat file to disable Windows Defender and add exclusions to paths IceXLoader is running from.

Anvilogic Scenario:

• Malicious File Delivering Malware

Anvilogic Use Cases:

• Executable Process from Suspicious Folder
• Encoded Powershell Command
• Modify Windows Defender

‍