March 24, 2023 By Doug Bonderud 4 min read

An unknown attacker group is targeting customer service agents at gambling and gaming companies with a new malware effort.

Known as IceBreaker, the code is capable of stealing passwords and cookies, exfiltrating files, taking screenshots and running custom VBS scripts. While these are fairly standard functions, what sets IceBreaker apart is its infection vector. Malicious actors are leveraging the helpful nature of customer service agents to deliver their payload and drive the infection process.

Here’s a look at how IceBreaker is cracking customer service and putting companies at risk.

Slippery slope? From helpful service to security breach

As noted by Tech Radar, the IceBreaker attack was first detected in September 2022. No group has taken credit for the attack so far, but there are some general clues to their origin. For example, they primarily target Spanish-speaking agents. They’ve also requested agents familiar with French or other languages but are avoiding English speakers.

The payload itself is an LNK file that appears to be a .jpg, which attackers upload into the chat session. They claim the “image” better explains issues with account access or functionality and ask customer service agents to download the file. If successful, the malware grabs the IceBreaker backdoor to establish a consistent connection and downloads an MSI-based malware payload. Attackers also come prepared with a VBS backup file if service agents can’t download the LNK file. Israeli firm Security Joes, which discovered the recent uptick in IceBreaker, says that attackers may also share links to ZIP files that supposedly contain images.

According to Bleeping Computer, the MSI file itself is hard for virus scanners to detect, with just four out of 60 scans returning positives. In part, this is thanks to a large set of decoy tools contained within the file. There’s also evidence that the C++ 64-bit executable used by IceBreaker has an unusual overlay that keeps part of its data attached to the end of the file itself. This, in turn, helps it better hide from AV tools.

Once IceBreaker has a network foothold, it can discover, steal and exfiltrate data. It can also enable a Socks5 reverse proxy server, generate remote shell sessions and customize itself using plugins that extend its feature set.

Signs of IceBreaker infection

An early warning sign of IceBreaker efforts is an uptick of requests by “customers” for service agents to download images. If agents take the bait, IceBreaker goes to work. According to the Security Joes report, while AV tools may not catch the malware in the act, there are indicators of infection that companies can detect.

The first is LNK files created in Windows startup folders; WINN.lnk is the most common. Teams should also be on the lookout for the unauthorized use of the open-source tool tsocks.exe. Additionally, they should look for the creation of msiexec.exe processes that are also receiving URLs as parameters. VBS scripts and LNK files launched from the Temp folder may also be an indicator of IceBreaker compromise.

Breaking the ice: How companies can stay safe

IceBreaker infections rely on the social and helpful nature of human beings, especially those in customer service. Tasked with resolving issues, well-intentioned agents may not realize the risk of downloading a “jpg” or opening a ZIP file. And with no history of similar attacks, gambling and gaming companies are unprepared for this possible threat vector.

There are steps companies can take to reduce the risk of Icebreaker cracks, including:

Review chat logs

By taking the time to view agent chat logs, businesses can pinpoint requests by customers for service agents to download files or open links. If logs don’t show these requests, it’s likely that businesses haven’t been exposed to IceBreaker. If file actions are being asked of staff, companies should determine when this behavior started and determine its trajectory. Is it steady over time? Decreasing? Increasing?

More requests suggest that attackers are getting closer and closer to success. This should provide the impetus for companies to take action.

Recognize social realities

With defenders and aggressors now in an IT arms race, attackers are falling back on their most reliable compromise method: Human beings. As a result, businesses need to recognize the reality of social engineering and educate staff accordingly.

The nature of humans to be sociable and helpful — especially those whose jobs depend on these friendly functions — makes social engineering an effective way for attackers to gain network access. With gambling and gaming accounts, agents want to help customers solve issues to keep revenue flowing.

By training staff on what social engineering looks like in the context of service requests, they’re better able to identify and flag potential problems.

Shift service processes

Companies may also benefit by shifting service processes away from local networks. This could take the form of outsourcing the service process or simply moving to a cloud framework. In both cases, the move helps frustrate attacker efforts since compromise won’t empower them to move laterally within corporate networks to access user or financial data.

Pumping the brakes on IceBreaker

While little is known about IceBreaker’s origins or long-term goals, it’s clear that this malware is breaking the mold. By combining the problem-solving nature of customer service agents with targeted social engineering efforts, attackers have developed a new way to bypass security systems and make their way into data-rich gaming and gambling networks.

As work continues to uncover IceBreaker efforts, total compromise numbers will likely drop. In the meantime, however, it’s critical for companies to carefully monitor their chat logs, recognize the impact of social engineering and consider shifting service functions away from local networks where possible.

More from Risk Management

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

How TikTok is reframing cybersecurity efforts

4 min read - You might think of TikTok as the place to go to find out new recipes and laugh at silly videos. And as a cybersecurity professional, TikTok’s potential data security issues are also likely to come to mind. However, in recent years, TikTok has worked to promote cybersecurity through its channels and programs. To highlight its efforts, TikTok celebrated Cybersecurity Month by promoting its cybersecurity focus and sharing cybersecurity TikTok creators.Global Bug Bounty program with HackerOneDuring Cybersecurity Month, the social media…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today