Hackers use new IceBreaker malware to breach gaming companies

An abstract image of digital security.
(Image credit: Shutterstock)

A new malware campaign targeting gaming and gambling companies has been reported and codenamed IceBreaker. 

The attackers contact the customer support section of the companies online to seemingly raise an issue. They attach a 'screenshot' to highlight their 'problem', which contains a backdoor - previously unseen by experts - to hack their endpoint.

The attacks have been reported since September 2022, and although the group behind them remains a mystery, some of their actions - such as requesting to speak to customer service agents in languages other than English - may be clues to their identity. 

TechRadar Pro needs you!
We want to build a better website for our readers, and we need your help! You can do your bit by filling out our survey and telling us your opinions and views about the tech industry in 2023. It will only take a few minutes and all your answers will be anonymous and confidential. Thank you again for helping us make TechRadar Pro even better.

D. Athow, Managing Editor

Hiding in a JPEG

Whoever the group is, they appear to be using advanced techniques and have avoiding being exposed so far. 

Israeli cybersecurity firm Security Joes was able to stop three of their attacks after analyzing data from an incident in September 2022, but says the only public recognition of the threat actor was a single tweet from MalwareHunterTeam.

The firm also notes that the attackers have asked to speak to customer service in Spanish, although they were observed conversing in other languages as well. Regardless, Security Joes believes that English is not their first language.

The apparent attached screenshots that they send to these companies contain a LNK file but masquerades as a JPG image file. It retrieves the IceBreaker backdoor, or downloads the well-known Visual Basic Script (VBS) Houdini Rat, which has been around for a decade, from the attacker's server without any user interaction or interface required.

The file is complex, compiled JavaScript, which Security Joes says can steal file and passwords, run scripts on the target's system, and open a proxy tunnel between the attacker and victim. Essentially, the backdoor gives the hackers control over the system, and what's more, can allow for further potential penetration within the company's network. 

The download that the LNK file initiates is an MSI payload containing the malware, and is poorly detected by antivirus services - Bleeping Computer reports that out of 60 scans on virus scanning website VirusTotal, the malware was only detected 4 times. 

The decoy files within the malware that feign a legitimate software signature mean that such tools do find anything wrong with it. 

Security Joes' report on IceBreaker contains adivce on how to spot the malware if you suspect it is on your system. Lookout for shortcut files created in the startup folder and opening of the open-source tsocks.exe program.

Lewis Maddison
Reviews Writer

Lewis Maddison is a Reviews Writer for TechRadar. He previously worked as a Staff Writer for our business section, TechRadar Pro, where he had experience with productivity-enhancing hardware, ranging from keyboards to standing desks. His area of expertise lies in computer peripherals and audio hardware, having spent over a decade exploring the murky depths of both PC building and music production. He also revels in picking up on the finest details and niggles that ultimately make a big difference to the user experience.

TOPICS