March 24, 2023 By Doug Bonderud 4 min read

An unknown attacker group is targeting customer service agents at gambling and gaming companies with a new malware effort.

Known as IceBreaker, the code is capable of stealing passwords and cookies, exfiltrating files, taking screenshots and running custom VBS scripts. While these are fairly standard functions, what sets IceBreaker apart is its infection vector. Malicious actors are leveraging the helpful nature of customer service agents to deliver their payload and drive the infection process.

Here’s a look at how IceBreaker is cracking customer service and putting companies at risk.

Slippery slope? From helpful service to security breach

As noted by Tech Radar, the IceBreaker attack was first detected in September 2022. No group has taken credit for the attack so far, but there are some general clues to their origin. For example, they primarily target Spanish-speaking agents. They’ve also requested agents familiar with French or other languages but are avoiding English speakers.

The payload itself is an LNK file that appears to be a .jpg, which attackers upload into the chat session. They claim the “image” better explains issues with account access or functionality and ask customer service agents to download the file. If successful, the malware grabs the IceBreaker backdoor to establish a consistent connection and downloads an MSI-based malware payload. Attackers also come prepared with a VBS backup file if service agents can’t download the LNK file. Israeli firm Security Joes, which discovered the recent uptick in IceBreaker, says that attackers may also share links to ZIP files that supposedly contain images.

According to Bleeping Computer, the MSI file itself is hard for virus scanners to detect, with just four out of 60 scans returning positives. In part, this is thanks to a large set of decoy tools contained within the file. There’s also evidence that the C++ 64-bit executable used by IceBreaker has an unusual overlay that keeps part of its data attached to the end of the file itself. This, in turn, helps it better hide from AV tools.

Once IceBreaker has a network foothold, it can discover, steal and exfiltrate data. It can also enable a Socks5 reverse proxy server, generate remote shell sessions and customize itself using plugins that extend its feature set.

Signs of IceBreaker infection

An early warning sign of IceBreaker efforts is an uptick of requests by “customers” for service agents to download images. If agents take the bait, IceBreaker goes to work. According to the Security Joes report, while AV tools may not catch the malware in the act, there are indicators of infection that companies can detect.

The first is LNK files created in Windows startup folders; WINN.lnk is the most common. Teams should also be on the lookout for the unauthorized use of the open-source tool tsocks.exe. Additionally, they should look for the creation of msiexec.exe processes that are also receiving URLs as parameters. VBS scripts and LNK files launched from the Temp folder may also be an indicator of IceBreaker compromise.

Breaking the ice: How companies can stay safe

IceBreaker infections rely on the social and helpful nature of human beings, especially those in customer service. Tasked with resolving issues, well-intentioned agents may not realize the risk of downloading a “jpg” or opening a ZIP file. And with no history of similar attacks, gambling and gaming companies are unprepared for this possible threat vector.

There are steps companies can take to reduce the risk of Icebreaker cracks, including:

Review chat logs

By taking the time to view agent chat logs, businesses can pinpoint requests by customers for service agents to download files or open links. If logs don’t show these requests, it’s likely that businesses haven’t been exposed to IceBreaker. If file actions are being asked of staff, companies should determine when this behavior started and determine its trajectory. Is it steady over time? Decreasing? Increasing?

More requests suggest that attackers are getting closer and closer to success. This should provide the impetus for companies to take action.

Recognize social realities

With defenders and aggressors now in an IT arms race, attackers are falling back on their most reliable compromise method: Human beings. As a result, businesses need to recognize the reality of social engineering and educate staff accordingly.

The nature of humans to be sociable and helpful — especially those whose jobs depend on these friendly functions — makes social engineering an effective way for attackers to gain network access. With gambling and gaming accounts, agents want to help customers solve issues to keep revenue flowing.

By training staff on what social engineering looks like in the context of service requests, they’re better able to identify and flag potential problems.

Shift service processes

Companies may also benefit by shifting service processes away from local networks. This could take the form of outsourcing the service process or simply moving to a cloud framework. In both cases, the move helps frustrate attacker efforts since compromise won’t empower them to move laterally within corporate networks to access user or financial data.

Pumping the brakes on IceBreaker

While little is known about IceBreaker’s origins or long-term goals, it’s clear that this malware is breaking the mold. By combining the problem-solving nature of customer service agents with targeted social engineering efforts, attackers have developed a new way to bypass security systems and make their way into data-rich gaming and gambling networks.

As work continues to uncover IceBreaker efforts, total compromise numbers will likely drop. In the meantime, however, it’s critical for companies to carefully monitor their chat logs, recognize the impact of social engineering and consider shifting service functions away from local networks where possible.

More from Risk Management

How will the Merck settlement affect the insurance industry?

3 min read - A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit…

ICS CERT predictions for 2024: What you need to know

4 min read - As we work through the first quarter of 2024, various sectors are continuously adapting to increasingly complex cybersecurity threats. Sectors like healthcare, finance, energy and transportation are all regularly widening their digital infrastructure, resulting in larger attack surfaces and greater risk exposure.Kaspersky just released their ICS CERT Predictions for this year, outlining the key cybersecurity challenges industrial enterprises will face in the year ahead. The forecasts emphasize the persistent nature of ransomware threats, the increasing prevalence of cosmopolitical hacktivism, insights…

How I got started: Ransomware negotiator

4 min read - Specialized roles in cybersecurity are proliferating, which isn’t surprising given the evolving threat landscape and the devastating impact of ransomware on many businesses.Among these roles, ransomware negotiators are becoming more and more crucial. These negotiators operate on the front lines of cyber defense, engaging directly with cyber criminals to mitigate the impact of ransomware attacks on organizations.Ransomware negotiators possess a unique blend of technical expertise, psychological insight and negotiation skills that allow them to navigate the high-stakes environment of ransomware…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today