A brand new assault marketing campaign has focused the gaming and playing sectors since at the very least September 2022, simply months previous to the ICE London 2023 gaming business commerce honest occasion that is scheduled subsequent week.
Israeli cybersecurity firm Security Joes is monitoring the exercise cluster underneath the title Ice Breaker, stating the intrusions make use of intelligent social engineering techniques to deploy a JavaScript backdoor.
The assault sequence proceeds as follows: The menace actor poses as a buyer whereas initiating a dialog with a help agent of a gaming web site and urges the person on the opposite finish to open a screenshot picture hosted on Dropbox.
Security Joes stated that the menace actor is “well-aware of the truth that the customer support is human-operated.”
Clicking the malicious hyperlink despatched within the chat results in the retrieval of an LNK payload or, alternatively, a VBScript file as a backup choice, the previous of which is configured to obtain and run an MSI bundle containing a Node.js implant.
The JavaScript file has all of the options of a typical backdoor, enabling the menace actor to enumerate working processes, steal passwords and cookies, exfiltrate arbitrary information, take screenshots, run VBScript imported from a distant server, and even open a reverse proxy on the compromised host.
Should the VBS downloader be executed by the sufferer, the an infection culminates within the deployment of Houdini, a VBS-based distant entry trojan that dates again to 2013.
The menace actors’ origins are presently unknown, though they’ve been noticed utilizing damaged English throughout their conversations with customer support brokers. Some indicators of compromise (IoCs) related to the marketing campaign had been beforehand shared by the MalwareHunterTeam in October 2022.
“This is a extremely efficient assault vector for the gaming and playing business,” Felipe Duarte, senior menace researcher at Security Joes, stated.
“The never-seen-before compiled JavaScript second stage malware is extremely complicated to dissect, exhibiting that we’re coping with a talented menace actor with the potential of being sponsored by an curiosity proprietor.”