Hackers use new IceBreaker malware to breach gaming companies

An abstract image of digital security.
(Image credit: Shutterstock)

A new malware campaign targeting gaming and gambling companies has been reported and codenamed IceBreaker. 

The attackers contact the customer support section of the companies online to seemingly raise an issue. They attach a 'screenshot' to highlight their 'problem', which contains a backdoor - previously unseen by experts - to hack their endpoint.

The attacks have been reported since September 2022, and although the group behind them remains a mystery, some of their actions - such as requesting to speak to customer service agents in languages other than English - may be clues to their identity. 

TechRadar Pro needs you!
We want to build a better website for our readers, and we need your help! You can do your bit by filling out our survey and telling us your opinions and views about the tech industry in 2023. It will only take a few minutes and all your answers will be anonymous and confidential. Thank you again for helping us make TechRadar Pro even better.

D. Athow, Managing Editor

Hiding in a JPEG

Whoever the group is, they appear to be using advanced techniques and have avoiding being exposed so far. 

Israeli cybersecurity firm Security Joes was able to stop three of their attacks after analyzing data from an incident in September 2022, but says the only public recognition of the threat actor was a single tweet from MalwareHunterTeam.

The firm also notes that the attackers have asked to speak to customer service in Spanish, although they were observed conversing in other languages as well. Regardless, Security Joes believes that English is not their first language.

The apparent attached screenshots that they send to these companies contain a LNK file but masquerades as a JPG image file. It retrieves the IceBreaker backdoor, or downloads the well-known Visual Basic Script (VBS) Houdini Rat, which has been around for a decade, from the attacker's server without any user interaction or interface required.

The file is complex, compiled JavaScript, which Security Joes says can steal file and passwords, run scripts on the target's system, and open a proxy tunnel between the attacker and victim. Essentially, the backdoor gives the hackers control over the system, and what's more, can allow for further potential penetration within the company's network. 

The download that the LNK file initiates is an MSI payload containing the malware, and is poorly detected by antivirus services - Bleeping Computer reports that out of 60 scans on virus scanning website VirusTotal, the malware was only detected 4 times. 

The decoy files within the malware that feign a legitimate software signature mean that such tools do find anything wrong with it. 

Security Joes' report on IceBreaker contains adivce on how to spot the malware if you suspect it is on your system. Lookout for shortcut files created in the startup folder and opening of the open-source tsocks.exe program.

Lewis Maddison
Staff Writer

Lewis Maddison is a Staff Writer at TechRadar Pro. His area of expertise is online security and protection, which includes tools and software such as password managers. 

His coverage also focuses on the usage habits of technology in both personal and professional settings - particularly its relation to social and cultural issues - and revels in uncovering stories that might not otherwise see the light of day.

He has a BA in Philosophy from the University of London, with a year spent studying abroad in the sunny climes of Malta.