by A new malware campaign codenamed IceBreaker targeting gaming and gambling companies has been reported.
The attackers contact the companies’ customer service online to appear to raise an issue. They attach a “screenshot” to highlight their “problem” which includes a backdoor – which experts haven’t seen before – to hack their endpoint.
The attacks have been reported since September 2022, and while the group behind them remains a mystery, some of their actions — like asking to speak to customer service agents in languages other than English — could be clues to their identity.
Hide in a JPEG
Whoever the group is, they appear to be using advanced techniques and have so far avoided exposure.
Israeli cybersecurity firm Security Joes was able to stop three of its attacks after analyzing data from an incident in September 2022, but says the only public acknowledgment of the threat actor is a single tweet from MalwareHunterTeam (opens in new tab).
The company also notes that the attackers asked to speak to customer service in Spanish, although they were observed conversing in other languages as well. Regardless, Security Joes believes English is not their first language.
The apparently attached screenshots they send to these companies contain an LNK file but disguise themselves as a JPG image file. It retrieves the IceBreaker backdoor or downloads the well-known Visual Basic Script (VBS) Houdini Rat, which has been around for a decade, from the attacker’s server without requiring any user interaction or interface.
The file is complex, compiled JavaScript that, according to Security Joe, can steal files and passwords, run scripts on the target’s system, and open a proxy tunnel between the attacker and the victim. Essentially, the backdoor gives the hackers control of the system and can also allow another potential intrusion into the corporate network.
The download that the LNK file initiates is an MSI payload that contains the malware and is poorly detected by antivirus services – Bleeping Computer reports that out of 60 scans on virus scanning website VirusTotal, the malware was only detected 4 times.
The decoy files in the malware, which mimic a legitimate software signature, mean that such tools will find something wrong with it.
Security Joe’s report on IceBreaker (opens in new tab) contains advice on how to spot the malware if you suspect it is on your system. Locate shortcut files created in the startup folder and open the open source tsocks.exe program.
