An ongoing phishing campaign is affecting both corporate and personal machines. The campaign is being used to distribute the IceXLoader malware version 3.3.3. The malware was first spotted this summer but was believed to be in the early stages of development. Researchers at Minerva Labs have since seen improvements in the malware that indicate it is out of the beta stages and is fully developed. The attack begins with the delivery of a .ZIP file that contains the first stage extractor and the creation of a new temp folder. From there, the infected machine will be restarted, a new registry key will be created, and the temp folder will be deleted. The dropped executable is a downloader that fetches a PNG file from a hardcoded URL and converts it into an obfuscated DLL file that is the IceXLoader payload. After decrypting the payload, the dropper will perform checks to ensure it is being run on a machine and not in an emulator or sandbox. From there, the malware will send details to the Command and Control (C2) server and will be able to receive commands to download additional malware or exfiltrate data.
It is important for companies to properly train employees on how to spot phishing emails. Organizations should also have detections in place to identify when malware has been downloaded. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with these types of detection needs.