IceBreaker Malware

A threatening attack campaign, dubbed IceBreaker targets the gaming and gambling sectors and has been active since at least September 2022. The attack uses clever social engineering tactics to deploy a JavaScript backdoor. Details about the attack campaign and the deployed IceBreaker Backdoor were first released by the security researchers at the Israeli cybersecurity company Security Joes.

The Attackers behind IceBreaker Rely on Social Engineering

The threat actors begin their attack chain by posing as a customer and initiating conversations with support agents for gaming companies. The actors claim to have account registration issues and then encourage the agent to open a screenshot image hosted on Dropbox. The cybercriminals take advantage of the fact that the chosen customer service is human-operated.

Clicking on the link of the supposed screenshot sent in the chat leads to either an LNK payload or a VBScript file. The LNK payload is configured to fetch and execute an MSI package carrying a Node.js implant on the victim's machine.

The Threatening Capabilities of the IceBreaker Malware

The corrupted JavaScript file can be used by the threat actors to gain access to a victim's computer. It has all of the capabilities typically observed in backdoor threats - the ability to enumerate running processes, collet passwords and cookies, exfiltrate arbitrary files, take screenshots, run VBScript imported from a remote server, and even open a reverse proxy on the compromised host. If the VBS downloader is executed by the victim instead, it will deploy a different payload named Houdini - a VBS-based Remote Access Trojan (RAT) that has been around since 2013. This malware can be used to gain unauthorized access to the victim's system and potentially cause damage or collect sensitive information.