What is IconDown?

IconDown falls under the classification of Trojans. Such malicious applications can enter a system without any permission and without being detected. Cybersecurity specialists suspect that this threat was created by a group of hackers known as BlackTech. Since these cybercriminals seem to be concentrated on cyber-espionage in Asia, it is likely that their newest threat might be used to attack systems of various institutions to obtain highly valuable information. If you want to learn more about it, we encourage you to read our full blog post. Also, users who are interested in learning how to erase IconDown manually should check the instructions we provide below this article. If you have any questions about the Trojan or its removal, feel free to leave us a message in the comments area.

Where does IconDown come from?

As mentioned in the beginning, IconDown seems to be the newest creation of hackers who call themselves BlackTech. Before developing this Trojan, they released a backdoor called Plead. Our researchers at Anti-spyware-101.com say that same as Plead, IconDown might be distributed via ASUS WebStorage’s update function. Specialists believe that cybercriminals might have pulled this off with the help of man-in-the-middle or supply chain attacks on the company’s systems. Of course, researchers who discovered such a possibly have already notified ASUS about it and, hopefully, the company will put an end to the misuse of their systems once and for all. As for now, companies in Asia that use ASUS WebStorage’s update function are advised to be cautious.

How does IconDown work?

Sample found on the computers of Japanese organizations needed to settle in before doing anything else. To be more precise, it was observed that these samples of IconDown created two executable files with random names in the %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup directory. Also, a file called DEV[4_random_characters].TMP was dropped in the %TEMP% folder. Note that this data should allow the malware to auto start with the operating system, which means the Trojan might start running each time an infected computer gets restarted.

Moreover, it is said that IconDown is a downloader. It means its main task might be downloading other threats on an infected device. Since BlackTech seems to be focused on cyber-espionage, it is possible that the malicious applications downloaded by this Trojan could be keyloggers, backdoors, and other tools that could help hackers obtain business secrets or other sensitive information from the attacked organizations. Naturally, the faster this Trojan gets deleted, the less information it might be able to steal.

How to erase IconDown?

Our researchers say that to remove IconDown, it might be enough to delete all of its created files. We listed such data earlier in this blog post, and you can find it listed in our deletion instructions available at the end of this paragraph too. The steps show how to kill the Trojan’s process (you can also restart your computer in Safe Mode to stop such a process) and how to remove it manually. Of course, dealing with such a malicious application on your own can be difficult and risky. Thus, companies that encounter this threat should employ their IT specialists and reputable antimalware tools that could eliminate IconDown as well as other malware that it might have dropped.

Delete IconDown

  1. Click Ctrl+Alt+Delete.
  2. Pick Task Manager and select Processes.
  3. Locate a process belonging to the Trojan.
  4. Select it and click End Task.
  5. Exit Task Manager.
  6. Click Windows key+E.
  7. Navigate to: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
  8. Look for random executable files, e.g., slui.exe and ctfmon.exe.
  9. Right-click the malicious executable files and press Delete.
  10. Go to: %TEMP%
  11. Find a .tmp file called DEV[4 random characters].TMP.
  12. Right-click this .tmp file and choose Delete.
  13. Exit File Explorer.
  14. Empty your Recycle Bin.
  15. Restart the computer. 100% FREE spyware scan and
    tested removal of IconDown*

Leave a Comment

Enter the numbers in the box to the right *