Researchers have discovered new waves of malware campaigns, with two information-stealing malware making rounds in the wild. Named StrelaStealer and IceXLoader, both malware leverage malicious email attachments to lure their targets. ป๊อกเด้ง
- Upon execution, the malware searches for credentials stored in the Thunderbird and Outlook email clients to steal them.
- This malware is delivered via spam emails carrying malicious ISO files as an attachment.
- In one sample, the ISO carried the executable file msinfo32.exe, which infects the target device with malware via DLL search order hijacking attack.
- In another example, the ISO carried an LNK and a polyglot file (which could be treated as both HTML and DLL files), which eventually loads the malware.
- It opens the default browser to show decoy documents and avoid any suspicion.
- Furthermore, the malware checks for a specific response from the C2, which provides confirmation that data has been received, and quits execution.
- Until confirmation is received, it tries to reconnect at an interval of one second and attempts to steal data again.
- The new variant, tracked as v3.3.3, is fully functional and includes a multi-stage delivery chain to target Windows devices with DarkCrystal RAT and cryptocurrency miners.
- Written in NIM language, the IceXLoader malware is known to be delivered via phishing emails, carrying malicious ZIP files that deploy next-stage malware.
- The ZIP files drop a .NET-based downloader, which further drops a PNG image Ejvffhop.png. This image file is another dropper, which decrypts and injects IceXLoader into a new process by leveraging process hollowing.
- Upon infection, the malware collects system metadata, exfiltrates that to a remote server controlled by the attacker, and awaits further instructions from the C2 server.
- It can download and execute next-stage malware filelessly in memory.
- Also, it can reboot compromised systems and uninstall the malware loader and even halt its execution.