IceXLoader was discovered last June by FortiGuard Labs. It is a commercial malware used to download and deploy additional malware on infected machines. While the version discovered in June (v3.0) looked like a work-in-progress, we recently observed a newer v3.3.3 loader which looks to be fully functionable and includes a multi-stage delivery chain.
Figure 1. IceXLoader delivery chain
First Stage Dropper
The victim receives an archived file which holds the first-stage extractor. The extractor contains the next stage executable as well as different extract settings in the resources:
Figure 2 – Dropper resources
The extractor creates a new .tmp folder under C:\Users\<username>\AppData\Local\Temp and drops the next-stage file (STOREM~2.EXE – .NET downloader) into it:
Figure 3 – Dropped File
If the REBOOT resource is set, the infected station will be rebooted. The extractor then creates a new registry key under HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce named wextract_cleanup0 and sets it to “rundll32.exe C:\Windows\system32\advpack.dll, DelNodeRunDLL32 “C:\Users\username\AppData\Local\Temp\IXP000.TMP\””. This will delete the temporary folder created by the extractor during the next computer restart.
Finally, the next-stage downloader is executed, and the extractor process exits.
The executable (STOREM~2.EXE) dropped by the extractor is a simple .Net downloader which downloads a “.png” file from a hardcoded URL:
Figure 4 – Download of IceXLoader dropper
The downloaded stream is converted into a byte array, (Fcyozgdveenwuzwbrsmfqu.dll), which is then loaded in a new thread of the downloader (STOREM~2.EXE) It then invokes a method hardcoded by the author:
Figure 5 – Execution of the dropper
The downloaded DLL is highly obfuscated, and is responsible for :
- Decrypting the IceXLoader
- Ensuring that the file is not executed inside Microsoft Defender’s emulator by verifying that the hostname is not equal to “hal9th”, and the username is not “johndoe”. This is considered a common evasion technique.
- Delaying the execution for 35 seconds – by executing PowerShell with an encrypted command – “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA1AA==” – the technique usually used by threat actors to evade sandboxes due to an execution timeout.
- Injecting IceXLoader into a new process (STOREM~2.EXE) by using the Process Hollowing technique.
IceXLoader collects the following information about the victim and sends it to the C&C server:
- Nickname – the nickname set by the malware author and hardcoded in binary; in our case the nickname is “Opus One”.
- IP address.
- Username and machine name.
- Windows OS version.
- Installed security products.
- Presence of .NET Framework v2.0 and/or v4.0.
- Loader Version – in our case is v3.3.3.
- RAM information.
- CPU information.
- GPU information.
- Time stamp.
Figure 6 – information collect
While executing for the first time, IceXLoader copies itself into two directories:
- “C:\Users\ username \AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Opus.exe”
It also creates a new registry key under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run named “Opus” and sets it to “C:\Users\<username>\AppData\Roaming\Opus.exe”.
Both above techniques are used to provide persistency.
Figure 7 – Registry persistency
After creating persistency, the loader executes the newly copied instance of itself by executing the following command: “cmd /c timeout 2 & “C:\Users\<username>\AppData\Roaming\Opus.exe””. This delays execution by two seconds, and deletes the currently executing file, in our case the “C:\Users\<username>\AppData\Local\Temp\IXP000.TMP\ STOREM~2.EXE”. as the loader was injected into it.
When executed again, the loader bypasses AMSI (Antimalware Scan Interface) protection by overwriting (patching) the AmsiScanBuffer API (which scans the user-input) in memory. The AMSI is a set of Windows APIs that allows any application to integrate with an antivirus product (assuming that product acts as an AMSI provider). Windows Defender, naturally, acts as an AMSI provider as do many third-party AV solutions.
Figure 8 – Changing AmsiScanBuffer memory to writable
The loader also creates and executes a .bat file which disables Windows Defender’s real-time scan and also adds exclusions to Windows Defender to prevent it from scanning the directory IceXLoader was copied to.
Figure 9 – PowerShell commands to disable Windows Defender
The list of the commands supported by version 3.3.3 is the same as described by FortiGuard Labs.
IceXLoader attempts to download an additional executable from its C&C server. This file is saved as medianupdate.exe in the user’s temp folder. At the time of our investigation, the C&C server was available, but all the files except the victims’ DBs were removed.
It would appear that the DB file is still being constantly updated (according to the “Last modified” column).
Figure 10 – C&C server
We examined the DB file, appearing to be SQLite, which contained thousands of victim records, which contained consisting of a mix of private home PCs and corporate PCs. We started informing the The affected companies are being informed after the discovery.
Minerva Labs Anti Ransomware Prevention
Minerva Labs Memory Injection Prevention module, which is part of the Minerva Armor Ransomware Protection solution, prevents IceXLoader at the very initial stage of its deployment, thus preventing the further execution flow and stopping the attack before it effectively even starts:
T1105 – Ingress Tool Transfer
T1620 – Reflective Code Loading
T1497 – Virtualization/Sandbox Evasion
T1055.012 – Process Injection: Process Hollowing
T1592 – Gather Victim Host Information
T1590.005 – Gather Victim Network Information: IP Addresses
T1059.001 – Command and Scripting Interpreter: PowerShell
T1562.001 –Impair Defenses: Disable or Modify Tools
- 49d6552ae5c5027ce1e68edee2438564b50ddc384276fd97360c92503771d3ac – first stage dropper
- 7bb69f98d77ca7609c10b9a0ab1ce32be2e26b160413203d5335f65c1bc8ee72 – downloader (STOREM~2.EXE)
- 9a9981d9bd10d3e004457ca4509aeb2bd828f54213f61b8a547c90e52f0b08eb – IceXLoader dropper (Fcyozgdveenwuzwbrsmfqu.dll)
- 0911819d0e050ddc5884ea40b4b39a716a7ef8de0179d0dfded9f043546cede9 – IceXLoader (Opus.exe)
- hxxps[:]//www.filifilm[.]com.br/images/colors/purple/Ejvffhop.png – IceXLoader dropper