IconDown

IconDown is a malicious application that might have been created by hackers called BlackTech. It seems the cybercriminals are targeting various organizations in Asia. Researchers say that the threat is a Trojan downloader, which means it might be used to download malicious content on infected devices. Needless to say that if left unattended, this malicious program could cause a lot of trouble. However, it might not be easy to detect it, and so erasing IconDown could appear to be a challenge. In the instructions placed below this article, we show how it could be possible to remove the Trojan manually, but we cannot guarantee they will work. If this malware gets detected, it would be safer to eliminate it with the help of cybersecurity specialists and reputable antimalware software.

You can learn more about IconDown if you continue reading our article. One of the things about it that we should discuss from the start is how the Trojan could be spread. Such sophisticated malicious applications can enter a system by exploiting various vulnerabilities that a victim’s operating system or other software installed on his device could have. In this case, it looks like hackers might have found a weakness in the ASUS WebStorage update function.

Researchers say that ASUS WebStorage software is vulnerable to the so-called man-in-the-middle attacks. If the hackers used this method, it is possible that they managed to intercept the update process before an update is validated to implant a fake update. It means the malware may not infect legitimate files. Instead, it might make a legit process to create a malicious file with the name of a legit file. According to specialists, BlackTech has already used this method to distribute another threat called Plead. They might be doing the same to spread IconDown too.

It was reported that Plead malware was used to compromise vulnerable routers belonging to affected organizations and even to use them as C&C (command and control) servers for the malicious application. As for IconDown, it is known that the malware was used to attack some organizations based in Japan. Also, some researchers say that it is a downloader, which means it might be used to drop other malicious applications on infected machines. For example, the Trojan could be used to install keyloggers or tools alike that could be utilized to spy on victims.

However, it seems to be still too early to say what the hackers’ goal might be. What is known is that once IconDown appears on a system, it should create a couple of files in the %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup location. Files in this location should be placed to ensure that the Trojan gets to be relaunched when an infected machine is restarted. Another record that the malware ought to create is a .tmp file in the %TEMP% folder. Its title could be made from 4 or 8 random characters.

Companies who think their machines could be targeted with this Trojan should check the earlier mentioned folders and look for files that could belong to IconDown. If the malicious application is found, we recommend removing it as fast as possible to prevent the malware from causing even more damage than it might have already done. Our researchers say that erasing files associated with the threat should allow victims to get rid of it. You can learn how to locate and delete data belonging to the Trojan manually if you have a look at the instructions below. If you do, know that instead of completing the first five steps, you can restart your computer in Safe Mode, which might also kill the threat’s process.

Lastly, we should warn victims that removing such a malicious application manually could be too risky as well as difficult. Consequently, we advise leaving this task to your company’s cybersecurity specialists or a reliable antimalware tool that could eliminate IconDown for you. If you have any questions about the malware or its removal, keep in mind that you can leave us a comment at the end of this page.

Erase IconDown

1. Click Ctrl+Alt+Delete.
2. Choose Task Manager and select Processes.
3. Find a process belonging to the threat.
4. Mark it and click End Task.
5. Exit Task Manager.
6. Click Win+E.
7. Find this path: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
8. Locate a couple of malicious executable files with random names, for example, ctfmon.exe.
9. Right-click the malicious .exe files separately and select Delete.
10. Locate this directory: %TEMP%
11. Find a malicious .tmp file with a random name, right-click it, and press Delete.
12. Exit File Explorer.
13. Empty Recycle Bin.
14. Restart the computer.