IXWare is a malware threat offered as Malware-as-a-Service (MaaS) designed to collect account credentials from Windows systems. More specifically, however, IXWare seems to be geared towards attacking the Roblox video game due to having multiple techniques for collecting Roblox account details. The malware is being advertised on a Roblox hacking forum that specializes in reselling accounts with two price tiers available - 10 euro for a month or 25 euros for three months of service. The hackers advertise their malware as having an impressive list of features. However, as the infosec researchers who analyzed the threat soon discovered, some features are either non-functional or simply don't exist. Another fact that became clear from the analysis is that the creators of IXWare are not sophisticated software developers. Many of the malware's functions are copy/pasted from other sources with little to no code modifications.
Still, IXWare is potent enough and is equipped with a sizable array of threatening functions. The threat can perform anti-analysis checks by executing several techniques dedicated to detecting Virtual machine environments. If any of the checks are positive, the malware stops its execution. IXWare also has a User Account Control (UAC) bypass methods implemented that affect different Windows versions - Windows 10 (fodhelper), Windows 8 (CompMgmtLauncher), Windows 7 (CompMgmtLauncher) and Windows Vista (CompMgmtLauncher). Furthermore, a significant code section is devoted to disabling the built-in Windows Defender anti-malware service. The persistence mechanism is achieved by making IXWare's process a critical one for the system. If the process is terminated, it will result in a system crash and a blue error screen displayed to the user.
The main functionality of IXWare is data exfiltration. The threat focuses on browsers based on the Chromium project mainly, but it also supports data theft from the Discord application. IXWare carries a list of the specific browsers it targets and once established on the compromised system it performs a check to determine if any of them are present. The malware obtains the encryption key from the local state folder, deciphers it through CryptoAPI, and then proceeds to decrypt the login credentials stored by the browser within an SQLite file. In this manner, IXWare gains access to URLs, usernames, and decrypted passwords. All data is written in a text file placed in the temp path. Data from Discord accounts is collected through discord token files located in the application data path.
IXWare goes after cookies associated with the Roblox game specifically. It enumerates all running processes looking for a specific one named 'RobloxPlayerBeta.' The malware threat grabs the authentication token through the command line arguments used for the process, sends it to the attacker's Command-and-Control (C&C, C2) server, and then receives a usable cookie that was derived from it.