Only Malware in the Building 6.4.24
Ep 1 | 6.4.24

The curious case of the missing IcedID.


Unidentified Person: This week on Only Malware in the Building --

Selena Larson: You know, I'm going to make a note of that and share it with my detection team that they should all put cloves in their USB drive, cloves of garlic.

Dave Bittner: I mean, it couldn't hurt.

Rick Howard: I just upgraded my modem, Dave, so I don't want to hear any crap about how slow I am on this particular episode.

Dave Bittner: We sound impulsively brilliant.

Selena Larson: Even malware has multiple names for the same type of malware. It's, yeah, you have to keep them straight.

Dave Bittner: Do we understand the circumstances of how it just fell off the radar?

Selena Larson: Only if you'll share your dips, Dave.

Dave Bittner: No, I'm sorry. [ Music ]

Selena Larson: Welcome in. You've entered Only Malware in the Building. Join us each month to sip tea and solve mysteries about today's most interesting threats. I'm your host, Selena Larson, Proofpoint threat researcher. Being a security researcher is a bit like being a detective. You gather clues, analyze the evidence, and consult the experts to solve the cyber puzzle. Inspired by Mabel Mora and the residents of New York's exclusive Upper West Side residents, I, alongside N2K Network's Dave Bittner and Rick Howard, uncover the stories behind notable cyberattacks. [ Music ] Today we're talking about the curious case of the missing IcedID. IcedID is a malware originally classified as a banking trojan and first observed in 2017. It also acts as a loader for other malware, including ransomware, and was a favored payload used by multiple cybercriminal threat actors until the fall of 2023. Then it all but disappeared. In its place, a new threat crawled, Latrodectus. Named after a spider, this new malware, created by the same people as IcedID, is now poised to take over where IcedID melted off.

Rick Howard: I'm a little bit grossed out about all this. The first iced tea -- IcedID NRT that you mentioned at the top of the show, does that mean there's a spider in the cup also? Oh, my God.

Selena Larson: No, but I highly recommend not Googling this malware name, especially if you have a fear of spiders like I do.

Dave Bittner: [crunching] Mm, I'm sorry. I'm sorry, I was -- I was just enjoying a delicious dip, and I'm -- Selena, I want to apologize that Rick and I were both late to this recording session. We were waiting for Rick's dial-up to connect.

Rick Howard: I just upgraded my modem, Dave, so I don't want to hear any crap about how slow I am on this particular episode.

Dave Bittner: Sure, okay, absolutely.

Selena Larson: Guys, guys, guys, we have to be cool. Think about our audience.

Dave Bittner: Well, let's start out, I mean, talking about IcedID. So what is IcedID and how did it originally emerge into the cybersecurity landscape? [ Music ]

Selena Larson: IcedID has been around. Like I mentioned, it was initially classified as a banking malware. It was first observed in 2017. It was really part of that banking trojan family. There was this era of cybercrime where you had things like First Nip [phonetic], IcedID, Dry Decks [phonetic], all came on scene that were classified as banking malware. They were going after banking credentials, real money, and then it started acting as a loader for other malware, including ransomware. It was used by multiple prominent initial access brokers, so essentially those threat actors that are trying to gain access to compromise a system and then deliver ransomware. Emotech, for example, was seen delivering IcedID.

Rick Howard: Can I just pause to say that the reason I love cybersecurity is that all the cool names that we come up with to describe all this stuff? I mean you rattled off maybe nine different malware names, right, that is on the tip of the tongue of everybody and get it, and that's the reason I'm here, okay, Selena?

Selena Larson: You know what? I feel like it has gone slightly overboard, though. You know, it's hard to keep them all in my head. There's just so many and the names are so chaotic.

Dave Bittner: Yeah, I wish there was one organization that could take responsibility for being the defining name, because every malware actor has half a dozen different names.

Selena Larson: Mm-hm, mm-hm.

Dave Bittner: And very often it is my job to say them all and keep them straight, right? Which is not easy.

Selena Larson: Well, even IcedID was a.k.a. BokBot in the early days, so there's -- even malware has multiple names for the same type of malware. It's, yeah, you have to keep them straight.

Dave Bittner: Sounds like a robot chicken.

Rick Howard: Yeah. What I love about it, though, is that, you know, we have malware names and we have hacker names, we have hacker group names, and sometimes they're the same names, right? And then it's like -- talk about getting confused, okay? I have no idea what we're talking about most of the time.

Dave Bittner: Oh, Rick. Rick, you know, you don't give yourself enough credit. You know, Selena, I think that it is safe to say that Rick is a security genius, not particularly true, but safe.

Selena Larson: Hey, I am in the presence of greatness right now.

Dave Bittner: Oh, stop. Go on, go on.

Rick Howard: Yea, please, please, tell me more. Tell me more.

Selena Larson: Only if you'll share your dips, Dave.

Dave Bittner: Okay. No, I'm sorry.

Selena Larson: It's not enough.

Dave Bittner: Well, you obviously haven't read my contract. There will be no -- there will be no sharing of the dips. So, all right, so we've talked about IcedID. So what happened to IcedID? How, like, do we understand the circumstances of how it just fell off the radar?

Selena Larson: That's a very good question. [ Music ] So it was pretty prominent, and back in early 2023, we actually saw a new variant of IcedID called "IcedID lite," kind of removed some of the functionality of the initial type malware, so we thought that continuing development, going all in on this type of malware, and then in the fall, it really just sort of stopped appearing in campaign data. We were asking ourselves at Proofpoint, you know, fellow researchers being like, hey, you know, what's going on? Because the actors that use IcedID, these initial access brokers, they're still active, and it coincided, the fall of IcedID sort of coincided with, in November 2023 this, you know, new malware that kind of came on the scene, and initially people thought it was another new variant of IcedID, but great, this is interesting, but it turned out to be something completely different. It was Latrodectus but suspected to be developed by the same folks who created IcedID. So this top dog of initial access malware that had been used for so long just sort of disappeared and in its place rose Latrodectus.

Rick Howard: Did Latrodectus have some sort of significant upgrade to it that caused them to abandon the other one, or, I mean, it seems weird that we just take something that was working and go to something different.

Selena Larson: Great question. Not really, and actually, if you ask my colleague Pinch Rubach [phonetic], who did all of the malware reversing on Latrodectus, he thinks it's a little basic. He's not very impressed --

Rick Howard: Hm, wow.

Selena Larson: With this particular malware. He would like the threat actors to try a little bit harder.

Dave Bittner: Oh, don't say that.

Selena Larson: To make things more fun.

Dave Bittner: Yeah, let's taunt them, Selena. That would be great for all of us.

Selena Larson: You're right, you're right. I know.

Rick Howard: So Latrodectus is the version of me dialing up to the internet with my modem? Is that what you're telling me?

Selena Larson: I don't know if it's quite that because it's still a payload that's used by initial access brokers, right? Like, we're still seeing it being used by threat actors, although not as much as IcedID, which is kind of interesting. You know, IcedID was really up there like with Qbot, right? Like, you had these sort of, you know, frequent highly regarded malwares, highly used malwares that typically led to ransomware. I mean, IcedID we saw like throughout its lifecycle leading to May [inaudible 00:08:44]. The DFIR report just published a couple of posts recently about it going to Nokoyawa Dragon Locker ransomware, so, you know, it's really kind of a key component in many, many ransomware attacks, so it's kind of interesting that, you know, just -- it just sort of like fell off the landscape, and Latrodectus came back. We only see it with a couple of our threat actors, but it's still, like, you know, you're still trying to figure out like what comes next. IcedID was once so prominent and then it just kind of disappeared and now we're now we're all kind of seeing, like, okay, what's going on? [ Music ] This is all coinciding with just chaotic vibes of e-crime landscapes. There's a lot of outstanding questions, I feel like, in general.

Dave Bittner: Right, so, I mean, you know, sometimes we talk about maybe there's internal strife among the team that could have been working on IcedID, and so a handful of them break off and decided to do this new thing, or sometimes they'll try to throw law enforcement off the trail and will say, "Oh, look, we're not them anymore. This is a completely new group." I mean, do we have any indications of what might have been prompting this name change, or is it still just a mystery?

Selena Larson: As far as we know, it's still just a mystery. I do think that you bring up a very good point, though, when you're talking about --

Rick Howard: Don't encourage him, Selena. I mean, come on. He thinks he's the Edward R. Murrow of malware, okay? Come on. It's not that important.

Dave Bittner: Selena, don't listen to him. For him, virus protection includes garlic in a wooden stake.

Rick Howard: And it has been effective ever since. I'm just saying.

Dave Bittner: Yeah, okay. As we were saying, Selena, before we were so rudely interrupted.

Selena Larson: You know, I'm going to make a note of that and share it with my detection team, that they should all put cloves in their USB drive, cloves of garlic.

Dave Bittner: I mean, it couldn't hurt.

Selena Larson: Just in case, yeah, taking lessons from these -- the older folks, how we used to combat malware back in the day.

Rick Howard: Speak for yourself, Selena. Speak for yourself.

Selena Larson: But no, I mean, I think that is a good point if we think about the characters who are in the cybercrime landscape, and there is kind of drama and strife often. I think the Conti leaks was a great example of showing how, you know, different threat actors interact with each other, how they're kind of oftentimes in like a business hierarchy. They have people working on HR. They have, you know, complaints about fellow employees and with the fracturing of Conti kind of splintering into these different groups, and so, you know, IcedID is kind of, you know, part of that overall cinematic universe of ransomware cybercrime and they're a little bit -- I would love to see like a Real Housewives of Cybercrime.

Rick Howard: Wait, that's a different show. That's a completely different show.

Selena Larson: You're right, you're right. That's next season. Sorry, sorry.

Dave Bittner: Get the FBI on the line.

Selena Larson: You have to figure out, you know, what is the motivation, how do they react to things, what -- you know, just hearing the gossip and, you know, all of the -- why decisions are made, I think.

Rick Howard: I'm still confused about why Proofpoint has linked the two pieces of malware together, the IcedID and the Latrodectus. Is there common code elements there, or it looks like the same kind of coding style. I mean, what's the thing that links it together?

Selena Larson: Yeah, so there are characteristics within the malware itself that points to an overlap. There's also infrastructure overlap with historic IcedID operations, and so when we were taking a look at this new Latrodectus, in fact, it looked so similar to IcedID that initial analysis thought Latrodectus was a new variant of the IcedID malware, and so there was a lot of discussion on various, you know, socials and stuff about, oh, what is this malware? What's going on? And so we were able to, within, you know, doing some analysis and being able to kind of find and highlight, you know, some of those links, there was some, you know, like, for example, some sort of sophistication involved, right? They had various sandbox evasion functionality, different encryption styles, but fundamentally we were able to see, you know, some of those links. But what we don't see, while the links exist in the malware, it hasn't reached the level of IcedID operations, historic IcedID operations, and what we've seen from that malware and operators of that malware, so it hasn't like one-to-one replaced it. And so it's still kind of an open question, like where does this go from here, and is this even going to continue to be successful, or is there going to be a pivot to something completely different like we've seen, you know, with the Qbot destruction, meaning threat actors have to use something totally completely new? So yeah, it's still kind of an open question. [ Music ]

Dave Bittner: When you think about Latrodectus and its place in the malware ecosystem, how serious a threat is this and how much energy should folks be putting in to protect themselves against it?

Selena Larson: Well, I like to think that, you know, there's various tiers, in my mind, and, again, this is just, you know, how I think about things in terms of the types of threat actors, and if we have threat actors that are initial access brokers that are using something new, it's definitely worth paying attention to because initial access brokers are the ones that are responsible for some of the most damaging cybercrime attacks, ransomware that, you know, costs hundreds of millions of dollars and, you know, there's the malware that you have to think about and, you know, thinking about defense for the actual, you know, like on network defense, but there's also thinking about the lead-up to it, the initial access, and so sort of this idea of defense in depth to prevent not just the installation of potentially Latrodectus but any other malware the threat actors that are initial access brokers are going to be using, because Latrodectus is just one, right? We have seen, for example, with the Qbot disruption, Picobot being, you know, kind of that replacement, and so there's, you know, the malware might change, but if we're looking at initial access brokers, their experimentation, their sophistication, all of that, that they're doing to just try and compromise organizations, you know, it's always worth paying attention to when they use something new.

Rick Howard: So what's the main takeaway here, Selena? I mean, is there common protections for Latrodectus, or does it mean something specific if you see that kind of thing in your environment?

Selena Larson: So I would say that, with Latrodectus in particular, I have to say the community has really come together to do a lot of really great research into this particular malware. Proofpoint actually published a blog in collaboration with [inaudible 00:15:52] looking at this particular malware and its infrastructure and that was pretty interesting to see a lot of, you know, some of the overlap with historic IcedID operations, but, you know, when there is something like an initial access type of malware that is identified, that's always something that should be sort of like a high priority, you know, investigation, like, as we've seen historically, certainly, with IcedID, things like Qbot, the access to ultimate ransomware delivery, the relationship is there, and I think the DFIR report recently came out with an example of an IcedID infection with the time to ransomware being 29 days, you know, it's the whole cycle and the activity is there, there's going to be likely, especially if we're talking about initial access brokers, there's going to be, you know, the initial malware delivery. There's going to be data exfiltration. There's going to be lateral movement. They're going to try and, you know, spread themselves as much as they can before actually leading to ultimate encryption. So yeah, I mean, I think the jury's still out on like what does "Latrodectus" mean, but it's a great example of the continued experimentation of initial access brokers, the continued use of new tools, new resources, trying to adopt new techniques to see what works best, and they're always out there trying to compromise computers and make as much money as possible. [ Music ]

Dave Bittner: Well, Selena, thank you for sharing all of this information with us. We are excited to be part of Only Malware in the Building. Rick and I, we do have to run. We are meeting up later today to play a exciting game of pong together, so --

Rick Howard: I believe I'm ahead, Dave. I believe I'm ahead.

Dave Bittner: Well, right, but before we do, we both need a nap. So, thanks so much, and we will see you here next month.

Selena Larson: Thanks, you guys. I'm very much looking forward to it. And thanks to you, all our listeners, for tuning in to Only Malware in the Building. [ Music ]