March 24, 2023 By Doug Bonderud 4 min read

An unknown attacker group is targeting customer service agents at gambling and gaming companies with a new malware effort.

Known as IceBreaker, the code is capable of stealing passwords and cookies, exfiltrating files, taking screenshots and running custom VBS scripts. While these are fairly standard functions, what sets IceBreaker apart is its infection vector. Malicious actors are leveraging the helpful nature of customer service agents to deliver their payload and drive the infection process.

Here’s a look at how IceBreaker is cracking customer service and putting companies at risk.

Slippery slope? From helpful service to security breach

As noted by Tech Radar, the IceBreaker attack was first detected in September 2022. No group has taken credit for the attack so far, but there are some general clues to their origin. For example, they primarily target Spanish-speaking agents. They’ve also requested agents familiar with French or other languages but are avoiding English speakers.

The payload itself is an LNK file that appears to be a .jpg, which attackers upload into the chat session. They claim the “image” better explains issues with account access or functionality and ask customer service agents to download the file. If successful, the malware grabs the IceBreaker backdoor to establish a consistent connection and downloads an MSI-based malware payload. Attackers also come prepared with a VBS backup file if service agents can’t download the LNK file. Israeli firm Security Joes, which discovered the recent uptick in IceBreaker, says that attackers may also share links to ZIP files that supposedly contain images.

According to Bleeping Computer, the MSI file itself is hard for virus scanners to detect, with just four out of 60 scans returning positives. In part, this is thanks to a large set of decoy tools contained within the file. There’s also evidence that the C++ 64-bit executable used by IceBreaker has an unusual overlay that keeps part of its data attached to the end of the file itself. This, in turn, helps it better hide from AV tools.

Once IceBreaker has a network foothold, it can discover, steal and exfiltrate data. It can also enable a Socks5 reverse proxy server, generate remote shell sessions and customize itself using plugins that extend its feature set.

Signs of IceBreaker infection

An early warning sign of IceBreaker efforts is an uptick of requests by “customers” for service agents to download images. If agents take the bait, IceBreaker goes to work. According to the Security Joes report, while AV tools may not catch the malware in the act, there are indicators of infection that companies can detect.

The first is LNK files created in Windows startup folders; WINN.lnk is the most common. Teams should also be on the lookout for the unauthorized use of the open-source tool tsocks.exe. Additionally, they should look for the creation of msiexec.exe processes that are also receiving URLs as parameters. VBS scripts and LNK files launched from the Temp folder may also be an indicator of IceBreaker compromise.

Breaking the ice: How companies can stay safe

IceBreaker infections rely on the social and helpful nature of human beings, especially those in customer service. Tasked with resolving issues, well-intentioned agents may not realize the risk of downloading a “jpg” or opening a ZIP file. And with no history of similar attacks, gambling and gaming companies are unprepared for this possible threat vector.

There are steps companies can take to reduce the risk of Icebreaker cracks, including:

Review chat logs

By taking the time to view agent chat logs, businesses can pinpoint requests by customers for service agents to download files or open links. If logs don’t show these requests, it’s likely that businesses haven’t been exposed to IceBreaker. If file actions are being asked of staff, companies should determine when this behavior started and determine its trajectory. Is it steady over time? Decreasing? Increasing?

More requests suggest that attackers are getting closer and closer to success. This should provide the impetus for companies to take action.

Recognize social realities

With defenders and aggressors now in an IT arms race, attackers are falling back on their most reliable compromise method: Human beings. As a result, businesses need to recognize the reality of social engineering and educate staff accordingly.

The nature of humans to be sociable and helpful — especially those whose jobs depend on these friendly functions — makes social engineering an effective way for attackers to gain network access. With gambling and gaming accounts, agents want to help customers solve issues to keep revenue flowing.

By training staff on what social engineering looks like in the context of service requests, they’re better able to identify and flag potential problems.

Shift service processes

Companies may also benefit by shifting service processes away from local networks. This could take the form of outsourcing the service process or simply moving to a cloud framework. In both cases, the move helps frustrate attacker efforts since compromise won’t empower them to move laterally within corporate networks to access user or financial data.

Pumping the brakes on IceBreaker

While little is known about IceBreaker’s origins or long-term goals, it’s clear that this malware is breaking the mold. By combining the problem-solving nature of customer service agents with targeted social engineering efforts, attackers have developed a new way to bypass security systems and make their way into data-rich gaming and gambling networks.

As work continues to uncover IceBreaker efforts, total compromise numbers will likely drop. In the meantime, however, it’s critical for companies to carefully monitor their chat logs, recognize the impact of social engineering and consider shifting service functions away from local networks where possible.

More from Risk Management

Operationalize cyber risk quantification for smart security

4 min read - Organizations constantly face new tactics from cyber criminals who aim to compromise their most valuable assets. Yet despite evolving techniques, many security leaders still rely on subjective terms, such as low, medium and high, to communicate and manage cyber risk. These vague terms do not convey the necessary detail or insight to produce actionable outcomes that accurately identify, measure, manage and communicate cyber risks. As a result, executives and board members remain uninformed and ill-prepared to manage organizational risk effectively.…

The evolution of ransomware: Lessons for the future

5 min read - Ransomware has been part of the cyber crime ecosystem since the late 1980s and remains a major threat in the cyber landscape today. Evolving ransomware attacks are becoming increasingly more sophisticated as threat actors leverage vulnerabilities, social engineering and insider threats. While the future of ransomware is full of unknown threats, we can look to the past and recent trends to predict the future. 2005 to 2020: A rapidly changing landscape While the first ransomware incident was observed in 1989,…

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today