Cybersecurity researchers from Minerva Labs have detected potentially dangerous malware (opens in a new tab) strain written in a relatively new programming language called Nim.
The team warns that a growing number of cybercriminals are moving their malware to Nim to better hide their tools from antivirus solutions and cybersecurity teams.
In this case, Minerva researchers first discovered IceXLoader in June 2022, when it was believed to be in development because many of its core features were still missing. Now, however, the malware has reached version 3.3.3, contains quite a lot of dangerous features and has already infected “thousands” of Windows devices – both at home and in the office.
Cryptocurrency miners
When victims download and run IceXLoader (usually after a successful phishing attack), it performs a number of activities ranging from collecting metadata about the target endpoint (opens in a new tab) (IP address, device name, operating system version, hardware information, etc.), after installing a cryptocurrency miner for the Monero currency.
Monero is a popular choice among cybercriminals because it is referred to as a “privacy coin”, making it virtually impossible to track sent tokens.
Overall, IceXLoader is the first stage of a multi-stage attack malware. It will place additional malware on the targeted endpoint depending on what the cybercriminals deem most useful for each device.
Malware is also relatively good at staying hidden. It obfuscates the code, does not work in the Microsoft Defender emulator, and launches PowerShell with an encrypted request, delaying the execution of the malware by 35 seconds. This way it can also avoid sandboxes.
Researchers found the malware’s SQLite database file and discovered “thousands of victim records.” It added that they had started notifying these people.
While the original version of IceXLoader was $118 on the dark web as per Registerthe cost of the new version is not yet known.
By: Register (opens in a new tab)