en English

StrelaStealer and IceXLoader Drive Info-Stealing Campaigns

Cyber security

Researchers have discovered new waves of malware campaigns, with two information-stealing malware making rounds in the wild. Named StrelaStealer and IceXLoader, both malware leverage malicious email attachments to lure their targets. ป๊อกเด้ง

StrelaStealer campaign

StrelaStealer info-stealer was first identified recently in early-November targeting internet users in Spain.
  • Upon execution, the malware searches for credentials stored in the Thunderbird and Outlook email clients to steal them.
  • This malware is delivered via spam emails carrying malicious ISO files as an attachment.
  • In one sample, the ISO carried the executable file msinfo32.exe, which infects the target device with malware via DLL search order hijacking attack.
  • In another example, the ISO carried an LNK and a polyglot file (which could be treated as both HTML and DLL files), which eventually loads the malware.

More information

  • It opens the default browser to show decoy documents and avoid any suspicion.
  • Furthermore, the malware checks for a specific response from the C2, which provides confirmation that data has been received, and quits execution.
  • Until confirmation is received, it tries to reconnect at an interval of one second and attempts to steal data again.

IceXLoader campaign

Researchers have identified an updated variant of the IceXLoader malware, targeting thousands of personal and enterprise machines around the globe.
  • The new variant, tracked as v3.3.3, is fully functional and includes a multi-stage delivery chain to target Windows devices with DarkCrystal RAT and cryptocurrency miners.
  • Written in NIM language, the IceXLoader malware is known to be delivered via phishing emails, carrying malicious ZIP files that deploy next-stage malware.
  • The ZIP files drop a .NET-based downloader, which further drops a PNG image Ejvffhop.png. This image file is another dropper, which decrypts and injects IceXLoader into a new process by leveraging process hollowing.

More information

  • Upon infection, the malware collects system metadata, exfiltrates that to a remote server controlled by the attacker, and awaits further instructions from the C2 server.
  • It can download and execute next-stage malware filelessly in memory.
  • Also, it can reboot compromised systems and uninstall the malware loader and even halt its execution.

Ending notes

Stealing sensitive information is still an attractive bet for cybercriminals. Moreover, spam emails are still among the favorite attack vector for such malicious campaigns. Therefore, users are suggested to stay extra cautious when dealing with emails from unknown sources, especially when carrying any attachments.
source : Cyware Hacker News