March 24, 2023 By Doug Bonderud 4 min read

An unknown attacker group is targeting customer service agents at gambling and gaming companies with a new malware effort.

Known as IceBreaker, the code is capable of stealing passwords and cookies, exfiltrating files, taking screenshots and running custom VBS scripts. While these are fairly standard functions, what sets IceBreaker apart is its infection vector. Malicious actors are leveraging the helpful nature of customer service agents to deliver their payload and drive the infection process.

Here’s a look at how IceBreaker is cracking customer service and putting companies at risk.

Slippery slope? From helpful service to security breach

As noted by Tech Radar, the IceBreaker attack was first detected in September 2022. No group has taken credit for the attack so far, but there are some general clues to their origin. For example, they primarily target Spanish-speaking agents. They’ve also requested agents familiar with French or other languages but are avoiding English speakers.

The payload itself is an LNK file that appears to be a .jpg, which attackers upload into the chat session. They claim the “image” better explains issues with account access or functionality and ask customer service agents to download the file. If successful, the malware grabs the IceBreaker backdoor to establish a consistent connection and downloads an MSI-based malware payload. Attackers also come prepared with a VBS backup file if service agents can’t download the LNK file. Israeli firm Security Joes, which discovered the recent uptick in IceBreaker, says that attackers may also share links to ZIP files that supposedly contain images.

According to Bleeping Computer, the MSI file itself is hard for virus scanners to detect, with just four out of 60 scans returning positives. In part, this is thanks to a large set of decoy tools contained within the file. There’s also evidence that the C++ 64-bit executable used by IceBreaker has an unusual overlay that keeps part of its data attached to the end of the file itself. This, in turn, helps it better hide from AV tools.

Once IceBreaker has a network foothold, it can discover, steal and exfiltrate data. It can also enable a Socks5 reverse proxy server, generate remote shell sessions and customize itself using plugins that extend its feature set.

Signs of IceBreaker infection

An early warning sign of IceBreaker efforts is an uptick of requests by “customers” for service agents to download images. If agents take the bait, IceBreaker goes to work. According to the Security Joes report, while AV tools may not catch the malware in the act, there are indicators of infection that companies can detect.

The first is LNK files created in Windows startup folders; WINN.lnk is the most common. Teams should also be on the lookout for the unauthorized use of the open-source tool tsocks.exe. Additionally, they should look for the creation of msiexec.exe processes that are also receiving URLs as parameters. VBS scripts and LNK files launched from the Temp folder may also be an indicator of IceBreaker compromise.

Breaking the ice: How companies can stay safe

IceBreaker infections rely on the social and helpful nature of human beings, especially those in customer service. Tasked with resolving issues, well-intentioned agents may not realize the risk of downloading a “jpg” or opening a ZIP file. And with no history of similar attacks, gambling and gaming companies are unprepared for this possible threat vector.

There are steps companies can take to reduce the risk of Icebreaker cracks, including:

Review chat logs

By taking the time to view agent chat logs, businesses can pinpoint requests by customers for service agents to download files or open links. If logs don’t show these requests, it’s likely that businesses haven’t been exposed to IceBreaker. If file actions are being asked of staff, companies should determine when this behavior started and determine its trajectory. Is it steady over time? Decreasing? Increasing?

More requests suggest that attackers are getting closer and closer to success. This should provide the impetus for companies to take action.

Recognize social realities

With defenders and aggressors now in an IT arms race, attackers are falling back on their most reliable compromise method: Human beings. As a result, businesses need to recognize the reality of social engineering and educate staff accordingly.

The nature of humans to be sociable and helpful — especially those whose jobs depend on these friendly functions — makes social engineering an effective way for attackers to gain network access. With gambling and gaming accounts, agents want to help customers solve issues to keep revenue flowing.

By training staff on what social engineering looks like in the context of service requests, they’re better able to identify and flag potential problems.

Shift service processes

Companies may also benefit by shifting service processes away from local networks. This could take the form of outsourcing the service process or simply moving to a cloud framework. In both cases, the move helps frustrate attacker efforts since compromise won’t empower them to move laterally within corporate networks to access user or financial data.

Pumping the brakes on IceBreaker

While little is known about IceBreaker’s origins or long-term goals, it’s clear that this malware is breaking the mold. By combining the problem-solving nature of customer service agents with targeted social engineering efforts, attackers have developed a new way to bypass security systems and make their way into data-rich gaming and gambling networks.

As work continues to uncover IceBreaker efforts, total compromise numbers will likely drop. In the meantime, however, it’s critical for companies to carefully monitor their chat logs, recognize the impact of social engineering and consider shifting service functions away from local networks where possible.

More from Risk Management

Digital solidarity vs. digital sovereignty: Which side are you on?

4 min read - The landscape of international cyber policy continues to evolve rapidly, reflecting the dynamic nature of technology and global geopolitics. Central to this evolution are two competing concepts: digital solidarity and digital sovereignty.The U.S. Department of State, through its newly released International Cyberspace and Digital Policy Strategy, has articulated a clear preference for digital solidarity, positioning it as a counterpoint to the protectionist approach of digital sovereignty.What are the main differences between these two concepts, and why does it matter? Let’s…

A decade of global cyberattacks, and where they left us

5 min read - The cyberattack landscape has seen monumental shifts and enormous growth in the past decade or so.I spoke to Michelle Alvarez, X-Force Strategic Threat Analysis Manager at IBM, who told me that the most visible change in cybersecurity can be summed up in one word: scale. A decade ago, “'mega-breaches' were relatively rare, but now feel like an everyday occurrence.”A summary of the past decade in global cyberattacksThe cybersecurity landscape has been impacted by major world events, especially in recent years.…

It all adds up: Pretexting in executive compromise

4 min read - Executives hold the keys to the corporate kingdom. If attackers can gain the trust of executives using layered social engineering techniques, they may be able to access sensitive corporate information such as intellectual property, financial data or administrative control logins and passwords.While phishing remains the primary pathway to executive compromise, increasing C-suite awareness of this risk requires a more in-depth approach from attackers: Pretexting.What is pretexting?Pretexting is the use of a fabricated story or narrative — a “pretext” — to…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today