StrelaStealer and IceXLoader Drive Info-Stealing Campaigns | Cyware Hacker News

StrelaStealer campaign

• Upon execution, the malware searches for credentials stored in the Thunderbird and Outlook email clients to steal them.
• This malware is delivered via spam emails carrying malicious ISO files as an attachment.
• In one sample, the ISO carried the executable file msinfo32.exe, which infects the target device with malware via DLL search order hijacking attack. 
• In another example, the ISO carried an LNK and a polyglot file (which could be treated as both HTML and DLL files), which eventually loads the malware.

More information

• It opens the default browser to show decoy documents and avoid any suspicion.
• Furthermore, the malware checks for a specific response from the C2, which provides confirmation that data has been received, and quits execution. 
• Until confirmation is received, it tries to reconnect at an interval of one second and attempts to steal data again.

IceXLoader campaign

• The new variant, tracked as v3.3.3, is fully functional and includes a multi-stage delivery chain to target Windows devices with DarkCrystal RAT and cryptocurrency miners.
• Written in NIM language, the IceXLoader malware is known to be delivered via phishing emails, carrying malicious ZIP files that deploy next-stage malware.
• The ZIP files drop a .NET-based downloader, which further drops a PNG image Ejvffhop.png. This image file is another dropper, which decrypts and injects IceXLoader into a new process by leveraging process hollowing.

More information

• Upon infection, the malware collects system metadata, exfiltrates that to a remote server controlled by the attacker, and awaits further instructions from the C2 server.
• It can download and execute next-stage malware filelessly in memory.
• Also, it can reboot compromised systems and uninstall the malware loader and even halt its execution.

Ending notes