Threat Research

New IceXLoader 3.0 – Developers Warm Up to Nim | FortiGuard Labs

Securonix

IceXLoader is a Nim-based commercial loader promoted in malware forums to download and deploy additional payloads on Windows machines, with ties to NimzaLoader used by the TrickBot group. The article outlines IceXLoader v3.0’s technical behavior, potential delivered malware (including DcRat and a Monero miner), C2 communication, persistence/evasion techniques, and observed infection chains and IOCs. #IceXLoader #TrickBot

Keypoints

  • IceXLoader 3.0 is a Nim-based loader advertised in underground forums and marketed as a way to download and deploy further malware on Windows hosts.
  • The Nim-based version appears to be a port of earlier IceXLoader iterations (v1) and links to the NimzaLoader variant of BazarLoader used by the TrickBot group.
  • Developers offer the loader for sale (e.g., $118 lifetime license) and present a developer website offering malware-related services, implying a commercial ecosystem around IceXLoader.
  • The loader builds into standalone executables with hardcoded configuration, enabling persistence via startup folders and Run registry keys; mutex logic is incomplete, allowing multiple instances on reboot.
  • IceXLoader engages in AMSI/Defender evasion (AMSI patching, PowerShell-based Defender real-time scan disruption, and Defender exclusions).
  • Communication with C2 is plaintext over HTTP(S) POST, using the machine GUID as a victim ID; the loader reports system information and awaits commands such as downloading and executing further payloads.
  • Infection chains include malspam-delivered IceXLoader v1 leading to DcRat and a multi-stage .NET loader dropping IceXLoader v3 to mine Monero; these chains illustrate evolving delivery and payload scenarios.

MITRE Techniques

  • [T1566.001] Phishing – An email with a ZIP file attachment masquerading as an invoice is sent to unsuspecting victims. ‘An email with a ZIP file attachment masquerading as an invoice is sent to unsuspecting victims.’
  • [T1547.001] Boot or Logon Autostart Execution – IceXLoader utilizes Windows startup features to survive reboots; copies itself to Startup and adds a Run registry entry. ‘If configured, IceXLoader utilizes Windows startup features commonly abused by malware to survive system reboots. It copies itself to %AppData%MicrosoftWindowsStart MenuProgramsStartup with a configurable filename.’
  • [T1562.001] Impair Defenses – In-memory patching of AMSI.DLL to bypass AMSI, and actions to disable Defender real-time scan with exclusions. ‘in-memory patching of “AmsiScanBuffer” in AMSI.DLL. This reduces the chance of IceXLoader and its subsequent malware payloads being detected.’
  • [T1059.001] PowerShell – PowerShell commands used to evade detection (e.g., disabling Defender real-time scan). ‘PowerShell commands to disable Windows Defender’s real-time scan.’
  • [T1071.001] Web Protocols – C2 communication over HTTP/HTTPS POST with a victim ID in the User-Agent and plaintext data. ‘IceXLoader communicates with a hardcoded list of C2 servers via HTTP/HTTPS POST requests. The User-Agent HTTP header is set to the Windows machine GUID… Communication between the loader and C2 is in plaintext.’
  • [T1082] System Information Discovery – The loader collects detailed system information before reporting to C2. ‘Nickname… Victim ID… Username and machine name… Windows OS version… Installed antivirus products… Presence of .NET Framework… Loader version… Memory… Processor name… Graphics card name.’
  • [T1105] Ingress Tool Transfer – Commands allow downloading and executing files from URLs (e.g., runFile URL TEMP_FILE_NAME). ‘Send a GET request to download a file from URL to %TEMP% as TEMP_FILE_NAME and then open it with “cmd /c”.’

Indicators of Compromise

  • [Files (SHA256)] IceXLoader-related samples – 6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794, 4eaed1357af8b4f757c16d90afb339161ac73fa4b8d867a416664b89a1d0a809, and 6 more hashes
  • [C2 URLs] C2 servers used by IceXLoader – kulcha[.]didns[.]ru:8080/Script.php and golden-cheats[.]com/icex/Script.php, and 5 more URLs
  • [Download URLs] IceXLoader payloads/downloads – funmustsolutions[.]site/wp-includes/icex/Files/Client.exe and funmustsolutions[.]site/wp-includes/icex/Files/Loader.exe, and 3 more download URLs

Read more: https://www.fortinet.com/blog/threat-research/new-icexloader-3-0-developers-warm-up-to-nim