HQ/EMEAFind out how we can help your business
A relatively new backdoor, IceBreaker, had been spotted in the cybercriminal landscape targeting customer service executives from online gambling firms. Studies show that this backdoor was first seen last September, with its developers employing social engineering tactics to spread it against targets.
There are currently no traces of the source and origins of the IceBreaker backdoor. However, researchers were able to identify how its developers conduct their campaign to spread it.
In most cases, the threat actors pretend to be users seeking customer support, particularly towards online gambling companies, for issues related to online service registration or logging in. There was an incident where the threat actors requested a Spanish-speaking agent to attend to their concerns, indicating that they could be non-English speaking actors.
IceBreaker is a Node[.]js-written backdoor showcases various attack features.
The studies on the IceBreaker backdoor reveal that it has been written in the Node[.]js server environment that offers a wide array of capabilities for attacks. Any threat actor utilising the backdoor can customise it through plugins that can extend its built-in features and process discovery.
It can also steal credentials, such as passwords and cookies, from the victim’s local storage or web browser like Google Chrome, by enabling a Socks5 reverse proxy server.
In establishing persistence inside a compromised machine, the backdoor can create LNK files in the Windows startup folder, send files to the attacker-controlled server, run custom VBS scripts, generate remote shell sessions, and take screenshots as needed.
Before any computer infiltrations begin, the threat actors must trick their targeted customer service agents from online gambling firms into opening malware-infected screenshot files. The attackers pretend they need guidance in registering or logging in to their accounts, to which they enclose an image file to purportedly describe their concerns better.
However, this image is hosted on a malicious site that impersonates popular online tools, such as Avast Free Antivirus, Dropbox, or Formware 3D, that will deliver infection on the victim’s computer once they download the file.
The researchers note that this process involves two payloads, of which one or the other would be delivered to the victim depending on which file they opt for when downloading the image (LNK or VBS). The IceBreaker backdoor will be delivered if the victim runs the LNK downloader but will deliver the Houdini RAT if the victim runs the VBS downloader.
Even though these details about the new backdoor’s campaign are limited, security experts still consider it dangerous and must be treated with vigilance. Companies, especially the known targets of this backdoor, must employ strong antivirus tools in their systems and monitor their networks closely for suspicious files that may indicate a devious malware infection.
