Hackers have been targeting online gaming and gambling companies with what appears to be a previously unseen backdoor that researchers have named IceBreaker. The compromise method relies on tricking customer service agents into opening malicious screenshots the threat actor sends under the guise of a user-facing problem. Such attacks have been happening since at least September 2022. The group behind these attacks remains unknown. Researchers at incident response firm Security Joes believe that the IceBreaker backdoor is the work of a new advanced threat actor that uses “a very specific social engineering technique,” which could lead to a clearer picture of who they are. After analyzing the data from a September incident, Security Joes responded to three other attacks before the hackers could compromise their targets. The researchers say that the only public evidence of the IceBreaker threat actor they could find was a tweet from MalwareHunterTeam in October. To deliver the backdoor, the threat actor contacts the target company’s customer support, pretending to be a user having problems logging in or registering for the online service.
The hackers convince the support agent to download an image that describes the problem better than they can explain. The researchers say that the image is typically hosted on a fake website that impersonates a legitimate service, although they also saw it delivered from a Dropbox storage. Security Joes says the dialogs it examined between the threat actor and the support agents indicate that IceBreaker isn’t a native English speaker and purposefully asks to speak with Spanish-speaking agents. However, they were seen speaking other languages too.
If the targeted entity has not outsourced customer support services to an external provider, the threat actors can use the backdoor to steal account credentials, move laterally in the network, and extend their intrusion.
At this time, not much is known about the IceBreaker group, but Security Joes decided to publish a report on their findings and share all captured IoCs (indicators of compromise) to help defenders detect and tackle this threat. The researchers have published a technical report describing the threat actor’s modus operandi and how their backdoor works. YARA rules have also been published to help organizations detect the malware. Additionally, Security Joes recommends companies suspecting a breach with IceBreaker look for shortcut files created in the startup folder and check for unauthorized execution of the open-source tool tsocks.exe. Monitoring the creation of msiexec.exe processes that receive URLs as parameters could also be an indication of compromise just as the execution of VBS scripts and LNK files from the temporary folder.