Crooks are pivoting to Nim to better hide their malware

Magnifying glass enlarging the word 'malware' in computer machine code
(Image credit: Shutterstock)

Cybersecurity researchers from Minerva Labs have spotted a potentially dangerous malware strain written in a relatively new programming language called Nim. 

The team has warned that a growing number of threat actors are porting their malware to Nim to better hide their tools from antivirus solutions and cybersecurity teams.

In this case, the Minerva researchers first found IceXLoader back in June 2022, when it was considered under development, as many of its core functions were still missing. Now, however, the malware has reached version 3.3.3, comes with quite a few dangerous features, and has already infected “thousands” of Windows devices - both at home, and in the office. 

Cryptominers

When victims download and run IceXLoader (which usually happens after a successful phishing attack), it will do a number of things - from gathering metadata about the target endpoint (IP address, device name, OS version, hardware information, etc.), to installing a cryptocurrency miner for the Monero currency. 

Monero is a popular choice among cybercriminals as it’s described as a “privacy coin” making tracing sent tokens virtually impossible. 

Generally speaking, IceXLoader is stage-one malware in a multi-stage attack. It will drop additional malware to the target endpoint, depending on what the threat actors deem most useful for each individual device.

The malware is also relatively good at staying hidden. It obfuscates the code, doesn’t run inside Microsoft Defender’s emulator, and executes PowerShell with an encrypted demand, delaying executing the malware for 35 seconds. That way, it can avoid sandboxes, as well. 

The researchers found the malware’s SQLite database file, and discovered “thousands of victim records”. They’ve begun notifying these people, it was added. 

While the original version of IceXLoader went for $118 on the dark web, as per The Register, the cost of the new version is yet to be seen. 

Via: The Register

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

TOPICS