Hackers have been targeting online gaming and gambling companies with what appears to be a previously unseen backdoor that researchers have named IceBreaker.
Researchers at incident response firm Security Joes believe that the IceBreaker backdoor is the work of a new advanced threat actor that uses “a very specific social engineering technique,” which could lead to a clearer picture of who they are.
All about New IceBreaker Malware?
The hackers convince the support agent to download an image that describes the problem better than they can explain.
The researchers say that the image is typically hosted on a fake website that impersonates a legitimate service, although they also saw it delivered from a Dropbox storage.
Security Joes says the dialogs it examined between the threat actor and the support agents indicate that IceBreaker isn’t a native English speaker and purposefully asks to speak with Spanish-speaking agents. However, they were seen speaking other languages too.
The only public evidence of the IceBreaker threat actor the researchers could find was a tweet from MalwareHunterTeam in October.
In order to deliver the backdoor, the threat actor contacts the customer support of the target company pretending to be a user having problems logging in or registering for the online service.
Security Joes researchers say the downloaded malware is “a highly complex compiled file JavaScript” which can discover running processes, steal passwords, cookies and files, to open one proxy tunnel for the attacker, as well as execute scripts retrieved from the attackers’ server.
The malicious LNK is the main first-stage payload delivering the IceBreaker malware, while the VBS file is used as a backup, in case the customer support operator is unable to run the shortcut.They recommend companies suspecting a breach with IceBreaker to look for shortcut files created in the startup folder and check for unauthorized execution of the open-source tool tsocks.exe.
Indicators of Compromise
Screenshotcap[.]com
Screenshotlite[.]com
Screenshot[.]icu
Xn–screenshot-iib[.]net
Xn–screenshot-jib[.]net
178[.]63[.]65[.]51
194[.]5[.]97[.]17
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment