Crooks are pivoting to Nim to better hide their malware

Cybersecurity researchers from Minerva Labs have spotted a potentially dangerous malware strain written in a relatively new programming language called Nim. 

The team has warned that a growing number of threat actors are porting their malware to Nim to better hide their tools from antivirus solutions and cybersecurity teams.

In this case, the Minerva researchers first found IceXLoader back in June 2022, when it was considered under development, as many of its core functions were still missing. Now, however, the malware has reached version 3.3.3, comes with quite a few dangerous features, and has already infected “thousands” of Windows devices – both at home, and in the office. 


When victims download and run IceXLoader (which usually happens after a successful phishing attack), it will do a number of things – from gathering metadata about the target endpoint (IP address, device name, OS version, hardware information, etc.), to installing a cryptocurrency miner for the Monero currency. 

Monero is a popular choice among cybercriminals as it’s described as a “privacy coin” making tracing sent tokens virtually impossible. 

Generally speaking, IceXLoader is stage-one malware in a multi-stage attack. It will drop additional malware to the target endpoint, depending on what the threat actors deem most useful for each individual device.

The malware is also relatively good at staying hidden. It obfuscates the code, doesn’t run inside Microsoft Defender’s emulator, and executes PowerShell with an encrypted demand, delaying executing the malware for 35 seconds. That way, it can avoid sandboxes, as well. 

The researchers found the malware’s SQLite database file, and discovered “thousands of victim records”. They’ve begun notifying these people, it was added. 

While the original version of IceXLoader went for $118 on the dark web, as per The Register, the cost of the new version is yet to be seen. 

Via: The Register

Go to Source