Ice Breaker APT Eyes the Gaming and Gambling Industry

Category: Threat Actor Activity | Industry: Entertainment | Level: Tactical | Source: Security Joes

A wave of attacks was discovered targeting the gaming and gambling industry since September 2022. The threat actors are tracked by researchers from Security Joes as "Ice Breakers." The origins of the group are unknown as no distinguishing clues were identified from chat dialogs to give indications of a preferred dialog used by the APT group. Their targeting of the gaming and gambling industry appears to be an attempt to capitalize on a major industry event, ICE London 2023, which launched on February 6th, 2023. Ice Breaker's social engineering tactics often lead with their operators posing as troubled customers and engaging with technical support to gain access to an online account. To create instant confusion, a language barrier is established by the operators intentionally selecting a language for the conversation they don't plan to communicate in. During instances when English is used, Ice Breaker operators demonstrated low levels of proficiency in the language often using short-handed English and showing clear grammatical mistakes. As a result of this observation, security researchers are speculating English is likely not the group's preferred language of choice, further conceal their identities.

Ice Breaker's meticulous social engineering approach is highlighted by Security Joe researchers as the "threat actor was well-aware of the fact that the customer service is human operated. Without proper guidance for the teams on the other end, it almost seemed logical that an unregistered user would be having trouble logging in or registering, and thus the attacker sends links to images instead of embedding them in the chat." The links sent only pose as a screenshot to lure the victims into downloading an archive file, containing a Windows shortcut (LNK) file. The shortcut file points to an MSI package housing Ice Breaker's backdoor malware. Alternatively, the operator has also deployed a VBS script with the zip archive to trigger the download and execution of the Houdini remote access trojan (RAT). Through the deployment of the IceBreaker backdoor malware and Houdini RAT, the threat actors appear to be targeting user credentials.

Anvilogic Scenario:

• Zip/LNK Leads to LOLBins and Actions on Objectives

Anvilogic Use Cases:

• Wscript/Cscript Execution
• MSIExec Install MSI File
• C2 Beaconing

‍

‍