A new player has appeared in cyberspace, with surprisingly new methods. A previously unknown group attacked gambling and online gaming companies using a yet unknown backdoor, named IceBreaker by researchers.
IceBreaker Backdoor exploits new phishing way
The method of compromising is based on the fact that tech support workers are tricked into opening malicious screenshots that the attacker sends under the guise of a problem that the user is experiencing. The first attacks were recorded in September 2022 by incident response specialists from Security Joes. They believe that the IceBreaker backdoor is the work of a new advanced attacker using a new and very specific social engineering tactic.
Analyzing the technique in perspective can give a clearer picture of who they are. At any rate, by analyzing data from the September incident, the researchers were able to respond to three other attacks before the hackers could compromise their targets. The only public evidence of the existence of the IceBreaker attacker is an October tweet from MalwareHunterTeam.
"Screenshot-13-28-10-03-2022.jpg.lnk": f97ee203a3dd08ac38d16295dbf9cb0c7476690ba03a05afefed34d7e8cfd44e
Next stage: https://down.xn--screnshot-iib.net/42600
IDN: scrėenshot[.]net
Interesting…
🤔@ShadowChasing1 @h2jazi @StopMalvertisin pic.twitter.com/gS9R8oL1YK
— MalwareHunterTeam (@malwrhunterteam) October 3, 2022
To deliver a backdoor, the attacker contacts the target company’s helpdesk. They mimic a user who is having trouble logging in or registering with an online service. The hackers convince a support person to download an image that describes the problem better than they can explain. Experts say that the image is usually hosted on a fake image hosting service. Such a trick aims at convincing the victim that it was delivered from Dropbox storage.
IceBreaker payload deployment
Links delivered in this way lead to a ZIP archive containing a malicious LNK file. The latter actually downloads the IceBreaker backdoor. Other cases of attacks through tech support involved a Visual Basic script that downloads the Houdini RAT. The latter is in use since at least 2013. Hackers use remote access capabilities of this malware to deploy the final payload – exactly, the IceBreaker. The experts noted that the downloaded malware is a very sophisticated compiled JavaScript file. It can detect running processes, steal passwords, and cookies, and open a reverse tunnel through a proxy. It can also receive and run scripts received from the control server.
The malicious LNK is the first-level payload that delivers the IceBreaker malware, and the VBS file is used as a backup in case the helpdesk operator is unable to run the shortcut. The country of origin of the new actor has not yet been identified, however, researchers say that the dialogues they studied between the attacker and support staff show that the actor is not a native speaker of English. They deliberately request to translate the conversation into Spanish. They have also been observed to speak other languages as well. Representatives of the gaming industry, and not only, should stay on alarm, as hackers use a very effective attack vector and a new arsenal of malware.
What’s next?
Malware delivery ways evolve constantly to correspond with surrounding things. Recent changes in Microsoft policy regarding executing macros in the files from the Internet rendered this method of malware delivery almost useless. Moreover, after almost 4 years of total domination of email spam as a delivery method companies began implementing proactive ways of countering this threat. For that reason seeking new ways of spreading was pretty much an obvious step.
Tactic that involves sending a message with a malicious attachment to tech support was anticipated. Moreover, any media content attracts support managers in their drab and dreary workflow. Fortunately, this new way of malware spreading is not that widespread now, and hackers seemingly found a way to circumvent the restrictions from Microsoft. Nonetheless, ignoring that messages to the support may also carry dangers other than bullying or criticism is reckless.