An unknown attacker group is targeting customer service agents at gambling and gaming companies with a new malware effort.
Known as IceBreaker, the code is capable of stealing passwords and cookies, exfiltrating files, taking screenshots and running custom VBS scripts. While these are fairly standard functions, what sets IceBreaker apart is its infection vector. Malicious actors are leveraging the helpful nature of customer service agents to deliver their payload and drive the infection process.
Here’s a look at how IceBreaker is cracking customer service and putting companies at risk.
Slippery slope? From helpful service to security breach
As noted by Tech Radar, the IceBreaker attack was first detected in September 2022. No group has taken credit for the attack so far, but there are some general clues to their origin. For example, they primarily target Spanish-speaking agents. They’ve also requested agents familiar with French or other languages but are avoiding English speakers.
The payload itself is an LNK file that appears to be a .jpg, which attackers upload into the chat session. They claim the “image” better explains issues with account access or functionality and ask customer service agents to download the file. If successful, the malware grabs the IceBreaker backdoor to establish a consistent connection and downloads an MSI-based malware payload. Attackers also come prepared with a VBS backup file if service agents can’t download the LNK file. Israeli firm Security Joes, which discovered the recent uptick in IceBreaker, says that attackers may also share links to ZIP files that supposedly contain images.
According to Bleeping Computer, the MSI file itself is hard for virus scanners to detect, with just four out of 60 scans returning positives. In part, this is thanks to a large set of decoy tools contained within the file. There’s also evidence that the C++ 64-bit executable used by IceBreaker has an unusual overlay that keeps part of its data attached to the end of the file itself. This, in turn, helps it better hide from AV tools.
Once IceBreaker has a network foothold, it can discover, steal and exfiltrate data. It can also enable a Socks5 reverse proxy server, generate remote shell sessions and customize itself using plugins that extend its feature set.
Signs of IceBreaker infection
An early warning sign of IceBreaker efforts is an uptick of requests by “customers” for service agents to download images. If agents take the bait, IceBreaker goes to work. According to the Security Joes report, while AV tools may not catch the malware in the act, there are indicators of infection that companies can detect.
The first is LNK files created in Windows startup folders; WINN.lnk is the most common. Teams should also be on the lookout for the unauthorized use of the open-source tool tsocks.exe. Additionally, they should look for the creation of msiexec.exe processes that are also receiving URLs as parameters. VBS scripts and LNK files launched from the Temp folder may also be an indicator of IceBreaker compromise.
Breaking the ice: How companies can stay safe
IceBreaker infections rely on the social and helpful nature of human beings, especially those in customer service. Tasked with resolving issues, well-intentioned agents may not realize the risk of downloading a “jpg” or opening a ZIP file. And with no history of similar attacks, gambling and gaming companies are unprepared for this possible threat vector.
There are steps companies can take to reduce the risk of Icebreaker cracks, including:
Review chat logs
By taking the time to view agent chat logs, businesses can pinpoint requests by customers for service agents to download files or open links. If logs don’t show these requests, it’s likely that businesses haven’t been exposed to IceBreaker. If file actions are being asked of staff, companies should determine when this behavior started and determine its trajectory. Is it steady over time? Decreasing? Increasing?
More requests suggest that attackers are getting closer and closer to success. This should provide the impetus for companies to take action.
Recognize social realities
With defenders and aggressors now in an IT arms race, attackers are falling back on their most reliable compromise method: Human beings. As a result, businesses need to recognize the reality of social engineering and educate staff accordingly.
The nature of humans to be sociable and helpful — especially those whose jobs depend on these friendly functions — makes social engineering an effective way for attackers to gain network access. With gambling and gaming accounts, agents want to help customers solve issues to keep revenue flowing.
By training staff on what social engineering looks like in the context of service requests, they’re better able to identify and flag potential problems.
Shift service processes
Companies may also benefit by shifting service processes away from local networks. This could take the form of outsourcing the service process or simply moving to a cloud framework. In both cases, the move helps frustrate attacker efforts since compromise won’t empower them to move laterally within corporate networks to access user or financial data.
Pumping the brakes on IceBreaker
While little is known about IceBreaker’s origins or long-term goals, it’s clear that this malware is breaking the mold. By combining the problem-solving nature of customer service agents with targeted social engineering efforts, attackers have developed a new way to bypass security systems and make their way into data-rich gaming and gambling networks.
As work continues to uncover IceBreaker efforts, total compromise numbers will likely drop. In the meantime, however, it’s critical for companies to carefully monitor their chat logs, recognize the impact of social engineering and consider shifting service functions away from local networks where possible.