Last known affiliation: Team Cymru
Bio: Josh Hopkins – Now leading the internal S2 research team, Josh has been a threat researcher with Team Cymru for the past six years. Specialising in the tracking of infrastructure for a diverse target set that includes both nation state and criminal threat actors. Josh has an extensive background in law enforcement and national security investigations.
Josh Hopkins 🗣 | Thibault Seret 🗣
Abstract (click to view)
This talk provides an insight into Team Cymru’s tracking of IcedID over the past 24 months, following its transition from banking trojan to all-round loader malware. We will demonstrate how we identify potential bot and loader C2 infrastructure through our network telemetry data, and provide confirmation of these findings through config extraction.
IcedID (also referred to as BokBot) first appeared in early 2017 as a ‘traditional’ banking trojan leveraging webinjects to steal financial information from victims. Since this time, it has evolved to include dropper functionality, and is now primarily used as a vehicle for the delivery of other tools, such as Cobalt Strike, and the eventual deployment of ransomware.
IcedID itself is commonly delivered in phishing (spam) campaigns, leveraging an assortment of lure types and execution processes.