Last known affiliation: Team Cymru
Bio: Thibault Seret – Thibault is a threat researcher on Team Cymru’s S2 team. He is currently focusing on crimeware and APT analysis and research, reverse engineering and threat intelligence, and trying to fight against bad guys. Before joining Team Cymru, he worked as a Threat Researcher in McAfee’s ATR team, as a cybercrime analyst in a banking institution with the mission to improve the digital forensics department, and as a CERT analyst at an IT services company where he tried to save the world with his teammate. He participates a lot in the security community and CTF competitions, and is a teacher for the next generation of cyber defenders. For the Alliance!
Josh Hopkins 🗣 | Thibault Seret 🗣
Abstract (click to view)
This talk provides an insight into Team Cymru’s tracking of IcedID over the past 24 months, following its transition from banking trojan to all-round loader malware. We will demonstrate how we identify potential bot and loader C2 infrastructure through our network telemetry data, and provide confirmation of these findings through config extraction.
IcedID (also referred to as BokBot) first appeared in early 2017 as a ‘traditional’ banking trojan leveraging webinjects to steal financial information from victims. Since this time, it has evolved to include dropper functionality, and is now primarily used as a vehicle for the delivery of other tools, such as Cobalt Strike, and the eventual deployment of ransomware.
IcedID itself is commonly delivered in phishing (spam) campaigns, leveraging an assortment of lure types and execution processes.