Hackers use new IceBreaker malware to breach gaming companies

An abstract image of digital security.
(Image credit: Shutterstock)

A new malware campaign targeting gaming and gambling companies has been reported and codenamed IceBreaker. 

The attackers contact the customer support section of the companies online to seemingly raise an issue. They attach a 'screenshot' to highlight their 'problem', which contains a backdoor - previously unseen by experts - to hack their endpoint.

The attacks have been reported since September 2022, and although the group behind them remains a mystery, some of their actions - such as requesting to speak to customer service agents in languages other than English - may be clues to their identity. 

TechRadar Pro needs you! (opens in new tab)
We want to build a better website for our readers, and we need your help! You can do your bit by filling out our survey (opens in new tab) and telling us your opinions and views about the tech industry in 2023. It will only take a few minutes and all your answers will be anonymous and confidential. Thank you again for helping us make TechRadar Pro even better.

D. Athow, Managing Editor

Hiding in a JPEG

Whoever the group is, they appear to be using advanced techniques and have avoiding being exposed so far. 

Israeli cybersecurity firm Security Joes was able to stop three of their attacks after analyzing data from an incident in September 2022, but says the only public recognition of the threat actor was a single tweet from MalwareHunterTeam (opens in new tab).

The firm also notes that the attackers have asked to speak to customer service in Spanish, although they were observed conversing in other languages as well. Regardless, Security Joes believes that English is not their first language.

The apparent attached screenshots that they send to these companies contain a LNK file but masquerades as a JPG image file. It retrieves the IceBreaker backdoor, or downloads the well-known Visual Basic Script (VBS) Houdini Rat, which has been around for a decade, from the attacker's server without any user interaction or interface required.

The file is complex, compiled JavaScript, which Security Joes says can steal file and passwords, run scripts on the target's system, and open a proxy tunnel between the attacker and victim. Essentially, the backdoor gives the hackers control over the system, and what's more, can allow for further potential penetration within the company's network. 

The download that the LNK file initiates is an MSI payload containing the malware, and is poorly detected by antivirus services - Bleeping Computer reports that out of 60 scans on virus scanning website VirusTotal, the malware was only detected 4 times. 

The decoy files within the malware that feign a legitimate software signature mean that such tools do find anything wrong with it. 

Security Joes' report on IceBreaker (opens in new tab) contains adivce on how to spot the malware if you suspect it is on your system. Lookout for shortcut files created in the startup folder and opening of the open-source tsocks.exe program.

Lewis Maddison
Graduate Junior Writer

Lewis Maddison is a Graduate Junior Writer at TechRadar Pro. His coverage ranges from online security to the usage habits of technology in both personal and professional settings.

His main areas of interest lie in technology as it relates to social and cultural issues around the world, and revels in uncovering stories that might not otherwise see the light of day.

He has a BA in Philosophy from the University of London, with a year spent studying abroad in the sunny climes of Malta.