# UnpacMe Weekly: New Version of IcedId Loader **[blog.unpac.me/2023/05/03/unpacme-weekly-new-version-of-icedid-loader](https://blog.unpac.me/2023/05/03/unpacme-weekly-new-version-of-icedid-loader)** Sean Wilson May 3, 2023 [Sean Wilson](https://blog.unpac.me/author/sean/) May 3, 2023 3 min read ## Highlights [Added support for newly observed version of IcedId Core Loader Fork and](https://www.unpac.me/results/6fff8dc0-4fe5-413c-a52f-05267118550b?ref=blog.unpac.me#/) IcedId Loader Fork [Nullmixer SEO search result poisoning delivering LegionLoader](https://www.unpac.me/results/4e4d4e5d-e399-4ac9-96d4-9aea5fd1b93d?ref=blog.unpac.me#/) String search: Performance improvements and bug fixes ## New Features [This week we continued work on improving our new string search feature. Based on your](https://blog.unpac.me/2023/04/25/unpacme-weekly-search-everything/) feedback and bug reports, we've made several improvements to the overall speed and [stability of search. In addition to search we also pushed some changes to Yara Hunt to](https://www.unpac.me/yara/search?ref=blog.unpac.me) improve the overall scan performance of Yara scans. ## Threat Spotlight: New IcedID Loader Fork On April 30, 2023 we observed a new version of the previously forked IcedID loader and [core loader. The initial fork of these components was detailed by Proofpoint in March 2023.](https://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid?ref=blog.unpac.me) This new fork contains some significant updates to both components. ----- **Forked Loader Updates** ``` b40076de066f06cfd29f43ae69d1e8c1627021a06bf2edff654626671acfb752 ``` The loader configuration file is no longer encrypted using a simple XOR algorithm with a 64-byte key. The new load configuration file encryption algorithm is the same custom algorithm [previously used by the core loader detailed in the mwcfg module](https://github.com/c3rb3ru5d3d53c/mwcfg?ref=blog.unpac.me) [icedid_peloader.py](https://github.com/c3rb3ru5d3d53c/mwcfg-modules/blob/f1064aea63d11b5069a1839cf2b9d10d43cee1aa/icedid/peloader/icedid_peloader.py?ref=blog.unpac.me) **Forked Core Loader Updates** ``` 27483870f4df637c7532e41c61e2ee1b6734b28bf511855b68c61abad031c8c8 ``` The IcedID bot is now embedded directly in the core loader instead of being delivered in a separate .datfile. With the bot embedded in the core loader the command line parameter -``` tidu="license.dat" is no longer required when launching loader. ``` The embedded bot continues to use the same custom headerless “pe” format detailed by [Malwarebytes in 2019.](https://www.malwarebytes.com/blog/news/2019/12/new-version-of-icedid-trojan-uses-steganographic-payloads?ref=blog.unpac.me) The bot "pe" sections are split between .text `.rdata and .data sections in the core` loader (one section in each). The core loader combines these disparate sections into a single blob of data which is then decrypted using XOR with a hard coded 32-byte ascii key ``` zzfersksximkogxswguwqvngtjkvvzjy. ``` The decrypted blob is then passed through the same custom decryption routine used [by previous version of the core loader as detailed in the mwcfg module](https://github.com/c3rb3ru5d3d53c/mwcfg?ref=blog.unpac.me) [icedid_peloader.py](https://github.com/c3rb3ru5d3d53c/mwcfg-modules/blob/f1064aea63d11b5069a1839cf2b9d10d43cee1aa/icedid/peloader/icedid_peloader.py?ref=blog.unpac.me) Once decrypted the plaintext blob is then loaded into memory using the custom IcedId “pe” loader. The PDB path in the new core loader fork E:\source\anubis\int``` bot\x64\Release\int-bot.pdb indicates that this new version is internally referred to ``` as `int-bot`. ## Weekly Threat Hunting As in recent weeks, we continue to see an almost even distribution between Downloaders, _InfoStealers, and Remote Access Trojans (RATs). Analysis of the top user submitted files_ [shows a near identical trend as last week with the top threats being AgentTesla,](https://www.unpac.me/results/87b376b3-0dcb-4338-8b41-47c9175b8628?ref=blog.unpac.me#/) _[Amadey,](https://www.unpac.me/results/8b57b323-6501-44eb-bae3-73d783e4744b?ref=blog.unpac.me#/)_ [SmokeLoader, and](https://www.unpac.me/results/6f8e1479-af08-49e2-914b-d8ba27bddd69?ref=blog.unpac.me#/) _[SnakeKeylogger. One notable change was an overall drop in submitted](https://www.unpac.me/results/84cc9978-4f3a-406d-be8e-d5642bb548cc?ref=blog.unpac.me#/)_ _[FormBook samples.](https://www.unpac.me/results/70ff27ed-f102-4e69-8d9d-e09a7bbfca50?ref=blog.unpac.me#/)_ [Continued analysis of .NET based malware families confirmed some of our suspicions last](https://blog.unpac.me/2023/04/25/unpacme-weekly-search-everything/) [week regarding the use of XorStringsNET. We have been tracking samples from additional](https://github.com/dr4k0nia/XorStringsNET?ref=blog.unpac.me) [.NET malware families such as RedLine Stealer and XWorm leveraging the tool for an](https://www.unpac.me/results/0fe69b7a-1fe7-4d34-a2f3-0c18994eabc8?ref=blog.unpac.me#/) additional layer of obfuscation. ----- [Over the past week, monitoring of the UnpacMe Threat Feed has corroborated our](https://www.unpac.me/feed?ref=blog.unpac.me) suspicions regarding the increase of AgentTesla samples. We are seeing that over 80% of [submitted AgentTesla samples are using the XORStringsNET string encryption. We expect](https://www.unpac.me/results/8a77cc81-6f13-4f1b-b380-b62752d15e6d?ref=blog.unpac.me#/) that over the next couple of weeks we will likely see an increase in several .NET malware families that leverage the tool, as it gains popularity among less-skilled threat actors. Last Week's Top Submitted Threats ## Threat Coverage We've added and improved coverage for the following malware families. IcedId Fork(s) - A new fork of the previously forked IcedId first [observed by ProofPoint](https://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid?ref=blog.unpac.me) [in 2023. New versions of the forked loader and](https://www.unpac.me/results/e8819691-d52c-40c3-b03d-884a73fca74a?ref=blog.unpac.me) [forked core loader were first observed](https://www.unpac.me/results/77728a43-a8c3-4018-8d53-8835d30c168d?ref=blog.unpac.me) by [UnpacMe on April 30, 2023. This new fork contains significant changes from the](https://www.unpac.me/?ref=blog.unpac.me#/) previous version including a new custom decryption algorithm used by the core loader, and the inclusion of the bot in the core loader rather than deployed via separate .dat files. We have added a configuration extractors for both the forked loader and forked core loader. ----- [LegionLoader - LegionLoader (aka Satacom) a downloader and cryptocurrency stealer](https://www.unpac.me/results/4e4d4e5d-e399-4ac9-96d4-9aea5fd1b93d?ref=blog.unpac.me) [primarily distributed via the Nullmixer pay-per-install service. Nullmixer uses SEO to](https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/?ref=blog.unpac.me) poison search results with high ranked links to their malware for common search terms such as "free pdfs" and "cracked software". We've added a new configuration extractor for LegionLoader to extract the command-and-control (C2) and encrypted strings. As always, if you have any feedback or issues please let us know. Happy Unpacking! -----