- You're listening to the Cyberwire Network, powered by N2K. - This week on "Only Malware in the Building." - You know, I'm gonna make a note of that and share it with my detection team, but they should all put clothes in their USB drive, clothes of garlic. - I mean, it couldn't hurt. - I just upgraded my modem thing, so I don't want to hear any crap about how slow I am on this particular episode. - We sound impulsively brilliant. - Even Malware has multiple names for the same type of Malware. It's, yeah, I have to keep them straight. - Do we understand the circumstances of how it just fell off the radar? - Only if you'll share your dip, Steve. - No, I'm sorry. [MUSIC PLAYING] - Welcome in. You've entered "Only Malware in the Building." Join us each month to sip tea and solve mysteries about today's most interesting threats. I'm your host, Celia Larson, Proofpoint Threat Researcher. Being a security researcher is a bit like being a detective. We gather clues, analyze the evidence, and consult the experts to solve the cyber puzzle. Inspired by Mabel Mora and the residents of New York's exclusive Upper West Side residents, I, alongside N2K network, Steve Bitner and Rick Howard, uncover the stories behind notable cyber attacks. [MUSIC PLAYING] This episode is brought to you by Shopify. Forget the frustration of picking commerce platforms when you switch your business to Shopify, the global commerce platform that supercharges you're selling, wherever you sell. With Shopify, you'll harness the same intuitive features, trusted apps, and powerful analytics used by the world's leading brands. Sign up today for your $1 per month trial period at Shopify.com/tech, all lowercase, that's Shopify.com/tech. [MUSIC PLAYING] Today, we're talking about the curious case of the missing Iced ID. Iced ID is a malware originally classified as a banking Trojan and first observed in 2017. It also acts as a loader for other malware, including ransomware, and was a favored payload used by multiple cyber criminal threat actors until the fall of 2023. Then it all but disappeared, and it's placed a new threat crawl of Latchodactis. Named after a spider, this new malware created by the same people as Iced ID is now poised to take over where Iced ID melted off. I'm a little bit grossed out about all this. First Iced ID, NRT, that you mentioned at the top of the show, does that mean there's a spider in the cup also? Oh my god. No, but I highly recommend not googling this malware name, especially if you have a fear of spiders like I do. [LAUGHTER] I'm sorry, I was just enjoying a delicious dip, and Selena, I want to apologize that Rick and I were both late to this recording session. We were waiting for Rick's dial-up to connect. I just upgraded my modem, Dave, so I don't want to hear any crap about how slow I am on this particular episode. Sure, okay, absolutely. Guys, guys, guys, we have to be cool. Think about our audience. [LAUGHTER] Well, let's start out, I mean, talking about Iced ID, so what is Iced ID and how did it originally emerge into the cyber security landscape? Iced ID has been around. Like I mentioned, it was initially classified as a banking malware, it was first observed in 2017. It was really part of that banking Trojan family. There was this era of cybercrime where you had things like First Nip, Iced ID, DryDex, all came on scene that were classified as banking malware. They were going after banking credentials, real money, and then it started acting as a loader for other malware, including ransomware. It was used by multiple prominent initial access brokers, so essentially those threat actors that are trying to gain access to compromise a system and then deliver ransomware. Emotet, for example, was seen delivering Iced ID. Can I just pause and say that the reason I love cyber security is that all the cool names that we come up with to describe all this stuff. I mean, you were at a lot of maybe nine different malware names, right, that is on the tip of the tongue of everybody and that's the reason I'm here, okay, Selena. You know what? I feel like it has gone slightly overboard, though it's hard to keep them all in my head. There's just so many and the names are so chaotic. Yeah, I wish there was one organization that could take responsibility for being the defining name because every malware actor has half a dozen different names and very often it is my job to save them all and keep them straight, which is not easy. Well, even Iced ID was AKA "Bokbot" in the early days, so there's even malware has multiple names for the same type of malware. It's, yeah, you have to keep them straight. Sounds like a robot chicken. Yeah. What I love about it, though, is we have malware names and we have hacker names, we have hacker group names, and sometimes they're the same names, right, and then just like talking about getting confused, okay, I have no idea what we're talking about most of the time. Oh, Rick, Rick, you don't give yourself enough credit. You know, Selena, I think that it is safe to say that Rick is a security genius. Particularly true, but safe. Hey, I am in the presence of greatness right now. Oh, stop. Go on. Go on. Please. Please. Tell me more. Tell me more. Yeah. Only if you'll share your dips, Dave. Okay. No. I'm sorry. It's not enough. Well, you obviously haven't read my contract. No, we know. There'll be no sharing of the dips. So all right. So we've talked about Iced ID. So what happened to Iced ID? How like do we understand the circumstances of how it just fell off the radar? That's a very good question. So it was pretty prominent. And back in early 2023, we actually saw a new variant of Iced ID called Iced Light kind of removed some of the functionality of the initial type of malware. So we thought that continuing development, going all in on this type of malware. And then in the fall, it really just sort of stopped appearing and campaigned at it. We were asking ourselves at proof point, you know, fellow researchers being like, Hey, you know, what's going on? Because the actors that use Iced ID, these initial access brokers, they're still active. And it coincided, the fall of Iced ID sort of coincided with in November 2023, this, you know, new malware that kind of came on the scene. And initially, people thought it was another new variant of Iced ID. But great. This is, this is, this is interesting. But it turned out to be something completely different. It was a latter deck this, but suspected to be developed by the same folks who created Iced ID. So this top dog of initial access malware that had been used for so long, just sort of disappeared. And in its place, Rose, latter decked us. Did latter decked us have some sort of significant upgrade to it that caused them to abandon the other one? Or, I mean, it seems weird that we just take something that was working and go to something different. Great question. Not really. And actually, if you ask my colleague, Pimch, who did all of the malware reversing on latradactors, he thinks it's a little basic. He's not very impressed with this particular malware. He would like the threat actors to try a little bit harder. Oh, don't say that. To make things more fun for him. Yeah, let's taunt them, Selena. That would be great for all of us. You're right. You're right. I know. So latter decked us is the version of me dying up to the internet with my modem. Is that what you're telling me? I don't know if it's quite that because it's still a payload that's used by initial access brokers, right? Like we're still seeing it being used by threat actors, although not as much as Iced ID. Which is kind of interesting, you know, Iced ID was really up there, like with Qbot, right? Like you had these sort of, you know, frequent, highly regarded mowers, highly used mowers that typically led to ransomware. I mean, Iced ID we saw like throughout its lifecycle leading to May, so did an Okevi Egriger. The D for report just published a couple of posts recently about it going to Noka Yawa, Dragonlock or ransomware. So, you know, it was really kind of a key component in many, many ransomware attacks. So it's kind of interesting that, you know, just, it just sort of like fell off the landscape and plot for decked us came back. We only see it with a couple of threat actors, but it's still like, you know, you're still trying to figure out like, what comes next? Iced ID was what's so prominent and then it just kind of disappeared and now we're, now we're all kind of seeing like, okay, what's going on? And now a word from our sponsor, no before. Where would infosec professionals be without users making security mistakes? Working less than 60 hours per week, maybe, actually having a weekend every so often. While user behavior can be a challenge, they can also be an infosec professional's greatest asset once properly equipped. Users want to do the right thing but often lack the knowledge to do so. That's one of the reasons no before developed security coach, a real-time security coaching tool that takes alerts from your existing security stack and sends immediate coaching to users who've taken risky actions. Training security tools will likely block a user from visiting a high-risk website, for example, but the user might not understand why. Security coach analyzes these alerts and provides users with relevant security tips via email or slack, coaching them on why the action they just took was risky. Help users learn from their mistakes and strengthen your organization's security culture with security coach. Learn more at nobefore.com/securitycoach, that's nobefore.com/securitycoach, and we thank no before for sponsoring our show. This is all coinciding with just chaotic vibes of e-crime landscapes, so there's a lot of outstanding questions I feel like in general. Right, so sometimes we talk about maybe there's internal strife among the team that could have been working on ICE ID, and so a handful of them break off and decide to do this new thing, or sometimes they'll try to throw law enforcement off the trail, and we'll say, "Oh, look, there were not them anymore. This is a completely new group. I mean, do we have any indications of what might have been prompting this name change, or is it still just a mystery?" As far as we know, it's still just a mystery. I do think that you bring up a very good point, though, when you're talking about it. Don't encourage him, Selena, come on, he thinks he's the Edward R. Murrow of a mile later. Okay, come on, it's not that important. Selena, don't listen to him. For him, virus protection includes garlic in a wooden state. And it has been effective ever since, I'm just saying. Okay, as we were saying, Selena, before we were so rudely interrupted, you know, I'm going to make a note of that and share it with my detection team that they should all put cloves in their USB drive, cloves of garlic. I mean, it couldn't hurt. Just in case taking lessons from these older folks, how we used to combat malware back in the day. Speak for yourself, Selena. Speak for yourself. But no, I mean, I think that is a good point if we think about the characters who are in the cyber crime landscape and there is kind of drama and strife often. I think the Conti Leaks was a great example of showing how, you know, different threat actors interact with each other, how they're kind of oftentimes in like a business hierarchy. They have people working on HR, they have, you know, complaints about fellow employees and with the fracturing of Conti kind of splintering into these different groups. And so, you know, I said use kind of, you know, part of that overall cinematic universe of ransomware cyber crime. And they're a little bit, I would love to see like a real housewives of cyber crime. Wait, that's a different show. That's a completely different show. You're right, you're right. That's next season. Sorry. Sorry. Get the FBI on the line. Yeah, to figure out, you know, what is the motivation, how do they react to things, what, you know, just hearing the gossip and, you know, all of the wide decisions are made. I think I'm still confused about why a proof point has linked the two pieces of malware together, the ice ID and the lateral deck this. Is there a common code elements there or it looks like the same kind of coding style? I mean, what's the thing that links it together? Yeah. So there are characteristics within the malware itself that points to an overlap. There's also infrastructure overlap with historic ice ID operations. And so when we were taking a look at this new latrudectus, in fact, it looked so similar to ice ID that initial analysis thought latrudectus was an invariant of the ice ID malware. And so there was a lot of discussion on various, you know, socials and stuff about, oh, what is this malware? What's going on? And so we were able to, within, you know, doing some analysis and being able to kind of find and highlight, you know, some of those links. There was some, you know, like, for example, some sort of sophistication involved, right? They had various sandbox evasion functionality, different encryption styles, but fundamentally we were able to see, you know, some of those links. But what we don't see, while the links exist in the malware, it hasn't reached the level of ice ID operations, historic ice ID operations, and what we've seen from that malware and operators of that malware. So it hasn't, like, one-to-one replaced it. And so it's still kind of an open question, like, where does this go from here? And is this even going to continue to be successful, or is there going to be a pivot to something completely different? Like, we've seen, you know, with the Q-Bot destruction, meaning threat actors have to use something totally, completely new. So yeah, it's still kind of an open question. When you think about La Tredictus and its place in the malware ecosystem, how serious a threat is this, and how much energy should folks be putting in to protect themselves against it? Well, I like to think that, you know, there's various tiers in my mind, and again, this is just, you know, how I think about things, in terms of the types of threat actors. And if we have threat actors that are initial access brokers that are using something new, it's definitely worth paying attention to, because initial access brokers are the ones that are responsible for some of the most damaging cyber crime attacks ransomware that, you know, costs hundreds of millions of dollars. And you know, there's the malware that you have to think about, and, you know, thinking about defense for the actual, you know, like on network defense, but there's also thinking about the lead up to it, the initial access. And so sort of this idea of defense in depth to prevent not just the installation of potentially La Tredictus, but any other malware, the threat actors that are initial access brokers are going to be using, because La Tredictus is just one, right? We have seen, for example, as a Qbot disruption, Peekabot being, you know, kind of that replacement. And so there's, you know, the malware might change, but if we're looking at initial access brokers, their experimentation, their sophistication, all of that they're doing to just try and compromise organizations, you know, it's always worth paying attention to when they use something new. So what's the main takeaway here, Sunina? I mean, is there common protections for La Tredictus, or does it mean something specific if you see that kind of thing in your environment? So I would say that with La Tredictus in particular, I have to say the community has really come together to do a lot of really great research into this particular malware. Proofpoint actually published a blog in collaboration with Team Comrie looking at this particular malware and its infrastructure, and that was pretty interesting to see a lot of, you know, some of the overlap with historic ISID operations. But you know, when there is something like an initial access type of malware that is identified, that's always something that should be sort of like a high priority, you know, investigation. Like, as we've seen historically, certainly with ISID, things like Qbot, the access to ultimate ransomware delivery, the relationship is there. And I think the DFA report recently came out with an example of an ISID infection with the time to ransom are being 29 days, you know, it's the whole cycle and the activity is there, there's going to be likely, especially for talking about initial access brokers, there's going to be the initial malware delivery, there's going to be data exaltration, there's going to be lateral movement, they're going to try and, you know, spread themselves as much as they can before actually leading to ultimate encryption. So yeah, I mean, I think the jury is still out on like what does La Tredictus mean, but it's a great example of the continued experimentation of initial access brokers, the continued use of new tools, new resources, trying to adopt new techniques to see what works best. And they're always out there trying to compromise computers and make as much money as possible. Well, Selena, thank you for sharing all of this information with us. We are excited to be part of only malware in the building, Rick and I, we do have to run, we are meeting up later today to play an exciting game of Pong together. So I believe I'm ahead, Dave, I believe I'm ahead. Well, right, but before we do, we both need a nap, so thanks so much. And we will see you here next month. Thanks you guys. I'm very much looking forward to it. And thanks to you, all our listeners, for tuning in to only malware in the building. [MUSIC] (chiming) [BLANK_AUDIO]
