A new malware campaign targeting gaming and gambling companies has been reported and codenamed IceBreaker.
The attackers contact the customer support section of the companies online to seemingly raise an issue. They attach a ‘screenshot’ to highlight their ‘problem’, which contains a backdoor – previously unseen by experts – to hack their endpoint.
The attacks have been reported since September 2022, and although the group behind them remains a mystery, some of their actions – such as requesting to speak to customer service agents in languages other than English – may be clues to their identity.
Hiding in a JPEG
Whoever the group is, they appear to be using advanced techniques and have avoiding being exposed so far.
Israeli cybersecurity firm Security Joes was able to stop three of their attacks after analyzing data from an incident in September 2022, but says the only public recognition of the threat actor was a single tweet from MalwareHunterTeam (opens in new tab).
The firm also notes that the attackers have asked to speak to customer service in Spanish, although they were observed conversing in other languages as well. Regardless, Security Joes believes that English is not their first language.
The apparent attached screenshots that they send to these companies contain a LNK file but masquerades as a JPG image file. It retrieves the IceBreaker backdoor, or downloads the well-known Visual Basic Script (VBS) Houdini Rat, which has been around for a decade, from the attacker’s server without any user interaction or interface required.
The download that the LNK file initiates is an MSI payload containing the malware, and is poorly detected by antivirus services – Bleeping Computer reports that out of 60 scans on virus scanning website VirusTotal, the malware was only detected 4 times.
The decoy files within the malware that feign a legitimate software signature mean that such tools do find anything wrong with it.
Security Joes’ report on IceBreaker (opens in new tab) contains adivce on how to spot the malware if you suspect it is on your system. Lookout for shortcut files created in the startup folder and opening of the open-source tsocks.exe program.