Cybercriminals are targeting human-operated customer service executives in online gaming and gambling firms with an unseen backdoor. This backdoor, named IceBreaker, is active since September 2022.
The attacker’s profile
IceBreaker is a work of a new advanced threat actor that employs a much more specific social engineering technique.
According to researchers, the group behind these attacks is unknown, with no clear clues related to their origin.
To spread the backdoor, the attackers make contact with the customer support of the target organization, pretending to be users facing some issues in registering or logging in for the online service.
The attackers ask to speak with non-native English customer service executives. In one incident, they requested that they can speak with Spanish-speaking agents.
Before this attack attempt, the only public evidence of IceBreaker was a tweet from MalwareHunterTeam in October, where the company disclosed some IOC, and later associated the activity with IceBreaker APT.
About IceBreaker backdoor
IceBreaker is written in Node[.]js, offering the attackers various capabilities.
It offers customization via plugins to extend built-in features and process discovery, and the ability to steal passwords and cookies from the local storage (Google Chrome). It enables a Socks5 reverse proxy server.
Further, it creates LNK files in the Windows startup folder for persistence, sends files to the remote server, runs custom VBS scripts, takes screenshots, and generates remote shell sessions.
The attack strategy
The attackers rely on fooling customer service agents into opening malicious screenshots sent under the disguise of a new user, facing problems in creating an account.
The hackers persuade the support agent to download an image that describes the problem better.
The image is hosted on a fake site impersonating a genuine service, such as Dropbox, Avast Free Antivirus, and Formware 3D.
The attacker delivers two different types of payload based on the malicious file (LNK or VBS) run by the victim.
If the victim runs the LNK downloader, an MSI package containing the IceBreaker backdoor is delivered.
However, if the victim runs the VBS downloader, Houdini RAT gets downloaded.
At present, limited information is available about IceBreaker. However, experts are able to identify some indicators that point toward compromise with this malware. Organizations suspecting an intrusion with this malware are suggested to look for relevant shortcut files in the startup folder. Further, inspect for unauthorized execution of the open-source tool, tsocks[.]exe.