CyberWire Daily - Encore: The curious case of the missing IcedID. [Only Malware in the Building]
Episode Date: July 4, 2024Welcome in! You’ve entered, Only Malware in the Building. Join us each month to sip tea and solve mysteries about today’s most interesting threats. Your host is Selena Larson, Proofpoint intellige...nce analyst and host of their podcast DISCARDED. Inspired by the residents of a building in New York’s exclusive upper west side, Selena is joined by N2K Networks Dave Bittner and Rick Howard to uncover the stories behind notable cyberattacks. Being a security researcher is a bit like being a detective: you gather clues, analyze the evidence, and consult the experts to solve the cyber puzzle. On this episode, we talk about "The curious case of the missing IcedID." IcedID is a malware originally classified as a banking trojan and was first observed in 2017. It also acts as a loader for other malware, including ransomware, and was a favored payload used by multiple cybercriminal threat actors until fall 2023. Then, it all but disappeared. In its place, a new threat crawled: Latrodectus. Named after a spider, this new malware, created by the same people as IcedID, is now poised to take over where IcedID melted off. Today we look back at what happened to the once prominent payload, and what its successor’s spinning web of activity means for the overall landscape. And be sure to check out the latest episode of Only Malware in the Building here. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. cloves of garlic. I mean, it couldn't hurt. I just upgraded my modem, Dave, so I don't want to hear any
crap about how slow I am on this
particular episode. We sound
impulsively brilliant.
Even malware has multiple
names for the same type of malware.
It's, yeah, you have to keep them straight.
Do we understand the circumstances
of how it just fell off the radar?
Only if you'll share your dips, Dave.
No.
I'm sorry.
Welcome in.
You've entered Only Malware in the Building.
Join us each month to sip tea and solve mysteries about today's most interesting threats.
I'm your host, Selena Larson, Proofpoint threat researcher.
Being a security researcher is a bit like being a detective.
You gather clues, analyze the evidence, and consult the experts to solve the cyber puzzle.
Inspired by Mabel Mora and the residents of New York's
exclusive Upper West Side residence,
I, alongside N2K Network's Dave Bittner
and Rick Howard,
uncover the stories behind notable cyber attacks.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages,
it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat. Travel moves us.
Today, we're talking about the curious case of the missing Ice ID.
Ice ID is a malware originally classified as a banking trojan and first observed in 2017.
It also acts as a loader for other malware, including ransomware,
and was a favored payload used by multiple cyber criminal threat actors until the fall of 2023.
Then it all but disappeared. In its place,
a new threat crawled, Latrodactys. Named after a spider, this new malware created by the same people as Ice ID is now poised to take over where Ice ID melted off. I'm a little bit grossed out
about all this. First Ice T, iced ID, NRT, that you mentioned
at the top of the show.
Does that mean
there's a spider in the cup also?
Oh my God.
No,
but I highly recommend
not Googling
this malware name,
especially if you have
a fear of spiders
like I do.
I'm sorry.
I'm sorry.
I was,
I was just enjoying a delicious dip.
Selena, I want to apologize that Rick and I were both late to this recording session.
We were waiting for Rick's dial-up to connect.
I just upgraded my modem, Dave,
so I don't want to hear any crap about how slow I am on this particular episode.
Sure.
Okay, Absolutely.
Guys, guys, guys, we have to be cool. Think about our audience.
Well, let's start out, I mean, talking about Iced ID. So what is Iced ID and how did it
originally emerge into the cybersecurity landscape?
landscape. Ice ID has been around. Like I mentioned, it was initially classified as banking malware. It was first observed in 2017. It was really part of that banking Trojan family.
There was this era of cybercrime where you had things like Ersnip, Ice ID, Drydex all came on scene that were classified as banking malware.
They were going after banking credentials, real money.
And then it started acting as a loader for other malware, including ransomware.
It was used by multiple prominent initial access brokers.
So essentially those threat actors that are trying to gain access to compromise a system and then deliver ransomware. Emotet, for example, was seen delivering ICE ID.
Can I just pause and say that the reason I love cybersecurity is that all the cool names that we
come up with to describe all this stuff. I mean, you rattled off of maybe nine different malware
names, right? That is on the tip of the tongue of everybody. And that's the reason I'm here. Okay,
Selena. You know what? I feel like it has gone slightly overboard, though. You know, it's hard
to keep them all in my head. There's just so many and the names are so chaotic. Yeah, I wish there
was one organization that could take responsibility for being the defining name because every malware actor has half a dozen different names.
And very often it is my job to say them all
and keep them straight, right?
Which is not easy.
Well, even Ice ID was aka Bokbot in the early days.
So there's even malware has multiple names
for the same type of malware.
It's, yeah, you have to keep them straight.
Sounds like a robot chicken.
Yeah.
What I love about it, though, is, you know, we have malware names and we have hacker names.
We have hacker group names.
And sometimes they're the same names, right?
And then it's like, talk about getting confused, okay?
I have no idea what we're talking about most of the time.
Oh, Rick.
Rick, you don't give yourself enough credit.
You know, Selena, I think that it is safe to say that Rick is a security genius.
Not particularly true, but safe.
Hey, I am in the presence of greatness right now.
Oh, stop. Go on. Go on. Please, please greatness right now. Oh, stop.
Go on.
Go on.
Please, please tell me more.
Tell me more.
Only if you'll share your dips, Dave.
Okay.
No, I'm sorry.
It's not enough.
Well, you obviously haven't read my contract.
There'll be no sharing of the dips.
So, all right.
So we've talked about ICED-ID.
So what happened to ICED-ID?
Do we understand the circumstances of how it just fell off the radar?
That's a very good question.
So it was pretty prominent.
So it was pretty prominent.
And back in early 2023, we actually saw a new variant of Ice ID called Ice ID Lite kind of remove some of the functionality of the initial type of malware. So we thought that continuing development, going all in on this type of malware.
And then in the fall, it really just sort of stopped appearing in campaign data.
We were asking ourselves at Proofpoint, you know, fellow researchers being like, hey, you know,
what's going on? Because the actors that use Ice ID, these initial access brokers, they're still
active. And it coincided, the fall of Ice ID sort of coincided with in November 2023, this, you know,
new malware that kind of came on the scene.
And initially people thought it was another new variant of ICE ID, but great, this is interesting.
But it turned out to be something completely different. It was Latrodectus, but suspected to
be developed by the same folks who created ICE ID. So this top dog of initial access malware that had been used for so long
just sort of disappeared and in its place rose Latrodectus. Did Latrodectus have some sort of
significant upgrade to it that caused them to abandon the other one? Or I mean, it seems weird
that we just take something that was working and go to something different. Great question.
Not really. And actually, if you ask my colleague, Pim Cherbak,
who did all of the malware reversing on Latrodectus,
he thinks it's a little basic.
He's not very impressed.
Wow.
With this particular malware.
He would like the threat actors to try a little bit harder.
Oh, don't say that.
To make things more fun for him.
Yeah, let's taunt them, Selena.
That would be great for all of us.
You're right.
You're right.
I know.
So Lactodectus is the version of me
dialing up to the internet with my modem.
Is that what you're telling me?
I don't know if it's quite that
because it's still a payload
that's used by initial access brokers, right?
Like we're still seeing it being used by threat actors,
although not as much as Ice ID,
which is kind of interesting.
You know, Ice ID was really up there like with Qbot, right?
Like you had these sort of, you know,
frequent, highly regarded malwares,
highly used malwares that typically led to ransomware.
I mean, Ice ID we saw like throughout its life cycle
leading to May, Soto, Nokivi, Agregor.
The Defer report just published a couple of posts recently like throughout its life cycle leading to May, Sotano Kibi-Agreger,
the D for report,
just published a couple of posts recently about it going to Nokoyawa,
Dragon Locker ransomware.
So, you know,
it was really kind of a key component
in many, many ransomware attacks.
So it was kind of interesting that,
you know,
it just sort of like fell off the landscape
and Platyredectus came back.
We only see it with a couple of our threat actors,
but it's still like, you know,
you're still trying to figure out like what comes next.
Ice ID was so prominent
and then it just kind of disappeared.
And now we're all kind of seeing like,
okay, what's going on?
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
This is all coinciding with just chaotic vibes of eCrime landscape.
There's a lot of outstanding questions, I feel like, in general.
Right.
So, I mean, you know, sometimes we talk about maybe
there's internal strife among the team that could have been working on ICED-ID. And so a handful of
them break off and decided to do this new thing. Or sometimes they'll try to throw law enforcement
off the trail and say, oh, look, we're not them anymore. This is a completely new group. I mean,
do we have any indications
of what might have been prompting this name change,
or is it still just a mystery?
As far as we know, it's still just a mystery.
I do think that you bring up a very good point, though,
when you're talking about...
Don't encourage him, Selenic.
I mean, come on, he thinks he's the Edward R. Murrow of malware.
Okay, come on, it's not that important.
Selenic, don't listen to him.
For him, virus protection includes garlic in a wooden steak.
And it has been effective ever since.
I'm just saying.
Okay.
As we were saying, Selena, before we were so rudely interrupted.
You know, I'm going to make a note of that and share it with my detection team that they should all
put cloves in their USB drive.
Cloves of garlic.
I mean, it couldn't hurt.
Just in case.
Taking lessons from the older folks.
How we used to combat malware
back in the day.
Speak for yourself, Selena.
Speak for yourself.
But no, I mean, I think that is a good point if we think about the characters who are in the cybercrime landscape.
And there is kind of drama and strife often.
I think the Conti leaks was a great example of showing how, you know, different threat actors interact with each other, how they're kind of oftentimes in like a business hierarchy.
They have people working on HR.
They have, you know, complaints about fellow employees and with the fracturing of Conti
kind of splintering into these different groups.
And so, you know, I said he's kind of, you know,
part of that overall cinematic universe
of ransomware cybercrime.
And they're a little bit, I would love to see like a real
Housewives of cybercrime. Wait, that's a different show. That's a completely different show.
You're right. You're right. That's next season. Sorry. Sorry.
Get the FBI on the line. Yeah. To figure out, you know, what is the motivation? How do they react to things?
What, you know, just hearing the gossip and, you know, all of the wide decisions are made, I think.
I'm still confused about why Proofpoint has linked the two pieces of malware together,
the ICE ID and the Latro Dectus.
Is there a common code elements there or it looks like the same kind of coding style?
I mean, what's the thing that links it together? Yeah, so there are characteristics within the
malware itself that points to an overlap. There's also infrastructure overlap with historic ICID
operations. And so when we were taking a look at this new Latrodectus. In fact, it looked so similar to IceID that initial analysis
thought Latrodectus was a new variant of the IceID malware. And so there was a lot of discussion
on various socials and stuff about, oh, what is this malware? What's going on?
And so we were able to, within doing some analysis and being able to kind of find and highlight
some of those links,
there was some, like for example,
some sort of sophistication
involved, right? They had various
sandbox evasion
functionality, different encryption
styles, but fundamentally we
were able to see some of those
links. But what we don't see,
while the links exist in
the malware, it hasn't reached the level of ICID operations, historic ICID operations, and what we've
seen from that malware and operators of that malware. So it hasn't like one-to-one replaced it.
And so it's still kind of an open question, like where does this go from here? And is this even
going to continue to be successful
or is there going to be a pivot to something completely different?
Like we've seen, you know, with the QBOT disruption,
meaning threat actors have to use something totally, completely new.
So, yeah, it's still kind of an open question.
When you think about Latrodectus and its place in the malware ecosystem, how serious a threat is this?
And how much energy should folks be putting in to protect themselves against it?
Well, I like to think that, you know, there's various tiers in my mind.
And again, this is just, this is just how I think about things
in terms of the types of threat actors. And if we have threat actors that are initial access brokers
that are using something new, it's definitely worth paying attention to.
Because initial access brokers are the ones that are responsible for some of the most damaging
cybercrime attacks, ransomware that costs hundreds of millions of dollars.
And there's the malware that you have to think about
and thinking about defense for the actual,
like on network defense,
but there's also thinking about the lead up to it,
the initial access.
And so sort of this idea of defense in depth
to prevent not just the installation
of potentially Latchard Actis, but any any other malware that threat actors that are initial access brokers are going to be using.
Because Latrodactys is just one, right?
We have seen, for example, with the Qbot disruption, Peekabot being kind of that replacement.
And so the malware might change.
the malware might change.
But if we're looking at initial access brokers,
their experimentation, their sophistication,
all of that that they're doing to just try and compromise organizations,
you know, it's always worth paying attention to
when they use something new.
So what's the main takeaway here, Selena?
I mean, is there common protections for Latrodectus
or does it mean something specific if you see that kind of
thing in your environment? So I would say that with Latrodectus in particular, I have to say
the community has really come together to do a lot of really great research into this particular
malware. Proofpoint actually published a blog in collaboration with Team Cromery looking at this
particular malware and its infrastructure. And that was pretty interesting to see a lot of,
you know, some of the overlap with historic Ice ID operations.
But, you know, when there is something
like an initial access type of malware that is identified,
that's always something that should be
sort of like a high priority, you know, investigation.
Like as we've seen historically,
certainly with Ice ID, things like Qbot,
the access to ultimate ransomware delivery, the relationship is there. And I think the
DFIR report recently came out with an example of an ICE ID infection with the time to ransomware
being 29 days. It's the whole cycle and the activity is there. There's going to be likely,
especially if we're talking about initial access brokers, there's going to be the initial malware delivery, there's going to be data exfiltration, there's going to be lateral
movement. They're going to try and spread themselves as much as they can before actually
leading to ultimate encryption. So yeah, I mean, I think the jury's still out on what
does Latrodectus mean, but it's a great example of the continued experimentation
of initial access brokers,
the continued use of new tools,
new resources,
trying to adopt new techniques
to see what works best.
And they're always out there
trying to compromise computers
and make as much money as possible.
Well, Selena, thank you for sharing all of this
information with us. We are
excited to be part of Only Malware
in the building.
Rick and I, we do have to run.
We are meeting up later today to play
an exciting game of Pong
together.
I believe I'm ahead, Dave. I believe I'm ahead, Dave.
I believe I'm ahead.
Well, right.
But before we do, we both need a nap.
So thanks so much.
And we will see you here next month.
Thanks, you guys.
I'm very much looking forward to it.
And thanks to you, all our listeners, for tuning in to Only Malware in the
Building.