A new player has appeared in cyberspace, with surprisingly new methods. A previously unknown group attacked gambling and online gaming companies using a yet unknown backdoor, named IceBreaker by researchers.
IceBreaker Backdoor exploits new phishing way
The method of compromising is based on the fact that tech support workers are tricked into opening malicious screenshots that the attacker sends under the guise of a problem that the user is experiencing. The first attacks were recorded in September 2022 by incident response specialists from Security Joes. They believe that the IceBreaker backdoor is the work of a new advanced attacker using a new and very specific social engineering tactic.
Analyzing the technique in perspective can give a clearer picture of who they are. At any rate, by analyzing data from the September incident, the researchers were able to respond to three other attacks before the hackers could compromise their targets. The only public evidence of the existence of the IceBreaker attacker is an October tweet from MalwareHunterTeam.
Next stage: https://down.xn--screnshot-iib.net/42600
🤔@ShadowChasing1 @h2jazi @StopMalvertisin pic.twitter.com/gS9R8oL1YK
— MalwareHunterTeam (@malwrhunterteam) October 3, 2022
To deliver a backdoor, the attacker contacts the target company’s helpdesk. They mimic a user who is having trouble logging in or registering with an online service. The hackers convince a support person to download an image that describes the problem better than they can explain. Experts say that the image is usually hosted on a fake image hosting service. Such a trick aims at convincing the victim that it was delivered from Dropbox storage.
IceBreaker payload deployment
The malicious LNK is the first-level payload that delivers the IceBreaker malware, and the VBS file is used as a backup in case the helpdesk operator is unable to run the shortcut. The country of origin of the new actor has not yet been identified, however, researchers say that the dialogues they studied between the attacker and support staff show that the actor is not a native speaker of English. They deliberately request to translate the conversation into Spanish. They have also been observed to speak other languages as well. Representatives of the gaming industry, and not only, should stay on alarm, as hackers use a very effective attack vector and a new arsenal of malware.
Malware delivery ways evolve constantly to correspond with surrounding things. Recent changes in Microsoft policy regarding executing macros in the files from the Internet rendered this method of malware delivery almost useless. Moreover, after almost 4 years of total domination of email spam as a delivery method companies began implementing proactive ways of countering this threat. For that reason seeking new ways of spreading was pretty much an obvious step.
Tactic that involves sending a message with a malicious attachment to tech support was anticipated. Moreover, any media content attracts support managers in their drab and dreary workflow. Fortunately, this new way of malware spreading is not that widespread now, and hackers seemingly found a way to circumvent the restrictions from Microsoft. Nonetheless, ignoring that messages to the support may also carry dangers other than bullying or criticism is reckless.