A new malware campaign, code-named IceBreaker, has been reported targeting gaming and gaming companies.
The attacker contacted the company’s customer support department online and appeared to ask a question. They attached a “screenshot” to highlight their “problem” that contained a backdoor – previously invisible to experts – to crack their endpoint.
The attacks have been reported since September 2022, and while the organization behind them remains a mystery, some of their behavior — such as asking to speak to a customer service agent in a language other than English — could be a clue to their identity.
hide in JPEG
Whoever this group is, they appear to be using advanced technology and have avoided exposure so far.
Israeli cybersecurity firm Security Joes managed to stop three attacks after analyzing data from an incident in September 2022, but said the only publicly acknowledged threat actor was A single tweet from MalwareHunterTeam (opens in a new tab).
The company also noted that the attackers asked to speak to customer service in Spanish, although they were also observed speaking in other languages. Anyway, Security Joes don’t think English is their first language.
The apparently attached screenshots they sent to these companies contained LNK files, but disguised as JPG image files. It retrieves the IceBreaker backdoor, or downloads the famous Visual Basic Script (VBS) Houdini Rat from the attacker’s server, which has existed for a decade without requiring any user interaction or interface.
The download initiated by the LNK file is an MSI payload containing malware, which is difficult for antivirus services to detect—Bleeping Computer reports that the malware was detected in only 4 out of 60 scans by virus scanning site VirusTotal.
Decoy files in malware masquerading as signatures of legitimate software mean that such tools can actually catch any problems with it.
Security Joes report on IceBreaker (opens in a new tab) Contains advice on how to spot malware if you suspect it is on your system. Look for the shortcut file created in the startup folder and the open source tsocks.exe program to open.