Alarming IceBreaker Malware Gives Hackers A Backdoor Into Gaming And Gambling Websites
The attack chain for this malware begins with a social engineering attempt in which the threat actors contact a website’s customer support and claim to be experiencing an issue with the website that needs troubleshooting. The threat actors vaguely describe the supposed problem, saying that it would be easier to share a screenshot showing an unexpected error or prompt. In some cases, the threat actors claim to be non-English speakers, which may serve to assure customer support agents that viewing a screenshot would be a better way to understand the problem.
The MSI installer extracts and executes this file, infecting the system with the IceBreaker Backdoor. This malware is written in JavaScript and is fairly unique in using the Node.js runtime environment. The researchers are still analyzing this piece of malware but have so far determined that it possesses the following capabilities:
- Customization via plugins that extend the build-in features of the threat.
- Process discovery.
- Steal passwords and cookies from the local storage. It particularly targets Google Chrome.
- Enables a Socks5 reverse proxy server in the infected machine via the open source project tsocks.
- Persistence is achieved by creating a new LNK file in the startup folder "\Microsoft\Windows\Start Menu\Programs\Startup\WINN.lnk".
- Exfiltrate files to the remote server via web sockets.
- Run custom VBS scripts in the infected machine.
- Take screenshots from the victim's machine.
- Generate remote shell sessions.