>
A new malware campaign targeting gaming and gambling companies codenamed IceBreaker has been reported.
The attackers contact the companies’ customer service online to seemingly raise an issue. They include a “screenshot” to highlight their “problem,” which includes a backdoor – previously unseen by experts – to hack into their endpoint.
The attacks have been reported since September 2022, and while the group behind them remains a mystery, some of their actions — such as requests to speak to customer service representatives in languages other than English — could be clues to their identities.
Hidden in a JPEG
Whoever the group is, they appear to be using advanced techniques and have thus far avoided exposure.
Israeli cybersecurity firm Security Joes was able to stop three of their attacks after analyzing data from a September 2022 incident, but says the only public recognition of the threat actor is a single tweet from MalwareHunterTeam (opens in new tab).
The company also notes that the attackers asked to speak to customer service in Spanish, even though they also conversed in other languages. Anyway, Security Joes believes that English is not their first language.
The apparently attached screenshots they send to these companies contain an LNK file but masquerade as a JPG image file. It fetches the IceBreaker backdoor, or downloads the well-known Visual Basic Script (VBS) Houdini Rat, which has been around for a decade, from the attacker’s server without requiring any user interaction or interface.
The file is complex, compiled JavaScript, which Security Joes says can steal file and passwords, run scripts on the target’s system, and open a proxy tunnel between the attacker and the victim. Essentially, the backdoor gives the hackers control over the system, and what’s more, can allow further potential penetration into the corporate network.
The download that launches the LNK file is an MSI payload that contains the malware and is poorly detected by antivirus services. Bleeping Computer reports that out of 60 scans on virus scanning website VirusTotal, the malware was detected only 4 times.
The decoy files in the malware that feign a legitimate software signature mean that such tools find something wrong with it.
The Security Joes report on IceBreaker (opens in new tab) contains advice on how to recognize the malware if you suspect it is on your system. Pay attention to shortcut files created in the startup folder and opening the open-source program tsocks.exe.