0:02

You listening to the cyber wire network

0:04

powered by and two k. This

0:11

week on only malware in the building. You

0:13

know I'm in a make a note of and

0:16

share with my detection team that they should all

0:18

take clothes and their u be a drive. Cloves

0:20

of garlic. I mean, it couldn't

0:22

hurt. I just upgraded my Modem

0:24

Daves. I don't want to hear

0:26

any graph above our small i

0:28

am on this particular Bristol. We

0:30

sound impulsively brilliant. Even malware has

0:33

multiple names for the same type

0:35

of malware. It's yeah, To keep

0:37

him straight, Do we understand the

0:39

circumstances of how it just fell off the

0:41

radar? Only I feel. Share your depth.

0:43

They've. No.

0:48

I'm. Sorry. Welcome.

0:59

In you've entered only malware in

1:02

the building. Join us each month

1:04

to sip t unsolved mysteries About

1:06

today's most interesting threat: I'm your

1:08

host so realize then Proof point

1:11

threat Researcher: Being a security researcher

1:13

is a bit like being a

1:15

detective. You gather clues, analyze the

1:18

evidence, and consult the experts to

1:20

solve the cyber puzzle. Inspired by

1:22

Mabel More and the residents of

1:24

New York's exclusive Upper West Side

1:27

residents I alongside and to came.

1:29

That works. Dame Bednar and Break

1:31

Howard uncover the stories behind

1:33

notable cyber attacks. Don't

1:51

struggle to align your organization cyber

1:53

security with business risk. Get the

1:56

only solution that goes beyond reacting

1:58

to threats with vulnerability. and

2:00

risk monitoring. You need the next

2:02

evolution of MDR and

2:04

only Critical Start delivers it. Critical

2:07

Start doesn't just monitor and respond

2:09

to threats. They put

2:11

you in control by detecting

2:13

suspicious activities, quickly responding to

2:15

contained threats and identifying your

2:17

most critical assets and protecting

2:19

them against vulnerabilities and exposures.

2:22

With continuous visibility, expert guidance

2:24

and measurable risk reduction, Critical

2:26

Start has redefined what it

2:28

means to manage cyber risk. Demonstrate

2:31

provable security maturity to your

2:33

leadership while positioning your program to

2:35

achieve the greatest risk reduction

2:37

per dollar spent. Stop

2:40

fearing risk and start managing it with

2:42

Critical Start. Visit criticalstart.com

2:44

and request a

2:46

demo today. That's

2:48

criticalstart.com. Today,

3:00

we're talking

3:03

about a curious case of

3:06

the missing iCITY. iCITY

3:08

is a malware originally classified as a

3:11

banking Trojan and first observed in 2017.

3:14

It also acts as a loader for

3:16

other malware, including ransomware and was a

3:19

favored payload used by multiple cyber criminal

3:21

threat actors until the fall of 2023.

3:25

Then it all but disappeared. In

3:27

its place, a new threat called

3:29

Latchtrodactis. Named after a

3:31

spider, this new malware created by the

3:34

same people as iCITY is now poised

3:36

to take over where iCITY melted off.

3:39

I'm a little bit grossed out

3:41

about all this. First iCITY, iCITY,

3:43

NRT, that you mentioned

3:45

at the top of the show. Does that mean there's

3:47

a spider in the cup also? Oh my God. No,

3:51

but I highly recommend not

3:53

googling this malware name, especially

3:55

if you have a fear of spiders like I

3:57

do. Ha ha ha ha. I'm

4:01

sorry. I'm sorry. I

4:03

was um, I was

4:05

just enjoying a delicious dip. Selena

4:09

I want to apologize that

4:12

Rick and I were both late to this

4:14

recording session. We were waiting for Rick's dial-up

4:16

to connect. I

4:18

just upgraded my modem Dave, so I don't want

4:20

to hear any crap about how slow I am

4:22

on this particular episode. Sure,

4:25

okay, absolutely. Guys, guys, guys,

4:27

we have to be cool. Think about our audience.

4:31

Well, let's start out, I mean,

4:33

talking about Iced ID. So what

4:35

is Iced ID and how did

4:38

it originally emerge into the cybersecurity

4:40

landscape? Iced

4:47

ID has been around. Like

4:50

I mentioned, it was initially classified as

4:52

a banking malware. It was first observed

4:54

in 2017. It

4:57

was really part of that banking

4:59

Trojans family. There was this era

5:01

of cybercrime where you had things

5:04

like Iced ID, Drydex, all came

5:06

on scene that were classified as

5:08

banking malware. They were going after

5:10

banking credentials, real money. And then

5:12

it started acting as a loader

5:15

for other malware, including ransomware. It

5:17

was used by multiple

5:19

prominent initial access brokers. So essentially

5:21

those threat actors that are trying

5:23

to gain access to compromise the

5:25

system and then deliver ransomware. Emotet,

5:28

for example, was C delivering Iced

5:30

ID. Can I just

5:32

pause and say that the reason I love cybersecurity is

5:34

that all the cool names that we come up with

5:36

to describe all this stuff. I mean, you write a

5:38

lot of maybe nine different malware names, right, that is

5:41

on the tip of the tongue of everybody. And that's

5:44

the reason I'm here. OK, Selena.

5:47

You know what, I feel like it has

5:50

gone slightly overboard, though, you know, it's

5:52

hard to keep them all in my head. There's

5:54

just there's just so many and the names are so

5:56

chaotic. Yeah, I wish there

5:59

was one organization. that could take responsibility

6:01

for being the defining name

6:03

because every malware actor

6:05

has half a dozen different names. Very

6:09

often it is my job to say them all and

6:12

keep them straight. It is

6:14

not easy. Well, even

6:17

Ice ID was AKA BachBot in

6:19

the early days. Even

6:22

malware has multiple names for the same

6:24

type of malware. It's yeah, you

6:26

have to keep them straight. Sounds like

6:28

a robot chicken. Yeah. What

6:31

I love about it though is that we have

6:33

malware names and we have

6:35

hacker names. We have hacker group

6:37

names and sometimes they're the

6:40

same names. And then just like talking about

6:42

getting confused. I have no idea what we're

6:44

talking about most of the time. Oh,

6:47

Rick. Rick,

6:49

you don't give yourself enough credit. Selena, I

6:51

think that it is safe to say that

6:54

Rick is a security genius. Not

6:57

particularly true, but safe. Hey,

7:01

I am in the presence of greatness right now.

7:05

Oh, stop. Go on. Please, please

7:07

tell me more. Tell me

7:09

more. Only if you'll share your dips, Dave.

7:12

Okay. No, I'm sorry. It's

7:14

not enough. Well,

7:17

you obviously haven't read my contract.

7:19

There will be no sharing of

7:22

the dips. So all

7:24

right. So we've talked about Ice ID.

7:26

So what happened to Ice ID? Do

7:30

we understand the circumstances of how it just fell

7:32

off the radar? That's a

7:34

very good question. So

7:44

it was pretty prominent. And

7:47

back in early 2023, we actually saw

7:49

a new variant of Ice ID called

7:51

Ice ID Lite kind of removed some

7:53

of the functionality of the initial type

7:55

of malware. So we thought that continuing

7:58

development, going all in. on this

8:00

type of malware. And then in the

8:02

fall, it really just sort of stopped appearing

8:05

in campaign data. We were

8:07

asking ourselves at proof point, you know,

8:09

fellow researchers being like, hey, you know,

8:11

what's going on? Because the actors that

8:13

use ICE ID, these initial access brokers,

8:15

they're still active. And it coincided,

8:18

the fall of ICE ID,

8:21

sort of coincided with in November 2023, this,

8:24

you know, new malware that

8:26

kind of came on the scene. And

8:28

initially people thought it was another new

8:30

variant of ICE ID. But great, this

8:32

is this is this is interesting. But

8:34

it turned out to be something completely

8:36

different. It was Latchodectus, but suspected to

8:38

be developed by the same folks who

8:41

created ICE ID. So this

8:43

top dog of initial access malware

8:45

that had been used for so

8:47

long, just sort of disappeared and

8:49

in its place rose Latchodectus. Did

8:51

Latchodectus have some sort of significant upgrade

8:54

to it that caused them to abandon

8:56

the other one? Or I mean, it

8:58

seems weird that we just take something

9:00

that was working and go to something different.

9:02

Great question. Not really. And

9:05

actually, if you ask my colleague, Pym

9:07

Churbach, who did all of the malware

9:09

reversing on Latchodectus, he thinks it's a

9:11

little basic. He's not very impressed.

9:14

Wow. With this particular malware, he would

9:17

like the threat actors to try a

9:19

little bit harder. Oh,

9:21

don't say that. It's

9:24

amazing. More fun for him. Yeah, let's

9:26

taunt them, Selena. That would be great

9:28

for all of us. You're right. You're

9:30

right. I know. So Latchodectus is

9:32

the version of me dying up to the internet

9:34

with my modem. Is that what you're telling me?

9:37

I don't know if it's quite that because it's still

9:39

a very well-baked use by initial access brokers,

9:42

right? Like we're still seeing it being used

9:44

side for actors, although not as much as

9:46

ICE ID, which is kind of interesting. You

9:48

know, ICE ID was really up there like

9:50

with Q bot, right? Like you had these

9:52

sort of, you know, frequent, highly

9:55

regarded now, highly used now, where's that typically

9:57

led to ransomware. I mean, I said, we

10:00

saw throughout its life cycle

10:02

leading to May, Sotenoki, the Gregor,

10:04

the D4 report just published a

10:06

couple of posts recently about it

10:08

going to Nokoyawa, Dragon Locker, ransomware.

10:10

So it was really kind of

10:12

a key component in many, many

10:15

ransomware attacks. So it's kind of

10:17

interesting that it just sort of

10:19

fell off the landscape. And Quadraddectus

10:21

came back. We only see it with a couple

10:24

of our set actors, but it's still like, you

10:26

know, there's just so much of that like, what

10:28

comes next? I said he was so prominent

10:31

and then it just kind of disappeared and now we're

10:33

all kind of thinking like, okay, what's going on?

10:35

And

10:51

now a word from our sponsor

10:53

Zscaler, the leader in cloud security.

10:56

Cyber attackers are using AI

10:58

in creative ways to compromise

11:00

users and breach organizations in

11:03

a security landscape where you must fight

11:05

AI with AI. The best AI protection

11:07

comes from having the best data. Zscaler

11:10

has extended its zero trust architecture

11:12

with powerful AI engines that are

11:14

trained and tuned by 500 trillion

11:17

daily signals. Learn more

11:20

about Zscaler Zero Trust Plus

11:22

AI to prevent ransomware and

11:24

AI attacks. Experience

11:26

your world secured.

11:28

Visit zscaler.com/zero trust

11:31

AI. This

11:39

is all coinciding with just chaotic

11:42

vibes of e-crime landscape. So

11:44

there's a lot of outstanding

11:46

questions I feel like in

11:48

general. Right. So I mean,

11:50

you know, sometimes we talk about maybe

11:52

there's internal strife among the

11:54

team that could have been working on Iced

11:56

ID. And so a handful of them break

11:59

off and decide. to do this

12:01

new thing or sometimes they'll

12:03

try to throw law enforcement off the

12:05

trail and say, oh look, we're not

12:07

them anymore, this is a completely new

12:10

group. Do we have any indications of

12:12

what might have been prompting this name

12:14

change or is this still just a

12:16

mystery? As far as we know,

12:18

it's still just a mystery. I do

12:20

think that you bring up a very good point

12:22

though when you're talking about... Don't

12:24

encourage him, Selena. I mean, come on, he

12:27

thinks he's the Edward R. Murrow of malware.

12:29

Okay, come on, it's not that important. Selena,

12:33

don't listen to him. For him,

12:35

virus protection includes garlic in a wooden

12:37

stake. And it

12:39

has been effective ever since, I'm just saying.

12:42

Okay. As we were saying,

12:44

Selena, before we were so rudely

12:47

interrupted... You know, I'm

12:49

going to make a note of that and share

12:51

it with my detection team that they should all

12:53

put clothes in their USB drive, clothes of garlic.

12:56

I mean, it couldn't hurt. Just in

12:58

case, taking lessons from the

13:01

older folks, how we

13:03

used to combat malware back in the

13:05

day. Speak for yourself, Selena. Speak

13:07

for yourself. But

13:10

no, I mean, I think that is a good

13:12

point if we think about the characters

13:15

who are in the cybercrime

13:17

landscape. And there is kind

13:19

of drama and strife often. I think

13:21

the Conti leaks is a great example

13:23

of showing how different

13:26

threat actors interact with each other, how

13:28

they're kind of oftentimes in like a

13:30

business hierarchy. They have people

13:32

working on HR. They have complaints

13:35

about fellow employees and with the fracturing

13:37

of Conti kind of splintering into these

13:40

different groups. And so,

13:42

I think he's kind of part of that overall

13:45

cinematic universe of ransomware

13:48

cybercrime. And there are a

13:51

little bit, I would love to see like

13:53

a real housewives of cybercrime.

13:57

Wait, that's a different show. That's

13:59

a completely different show. show. You're

14:01

right. You're right. That's next

14:04

season. Sorry. Sorry. Get the FBI on

14:06

the line. Yeah.

14:08

To figure out, you know, what is the

14:10

motivation? How did they react to things? What,

14:12

you know, just hearing the gossip

14:15

and you know, all of the

14:17

wide decisions are made. I'm

14:20

still confused about why a proof point

14:22

has linked the two pieces of my

14:24

word together. The ice ID and the

14:26

Lattrodectus. Is there a common code elements

14:28

there or it looks

14:31

like the same kind of coding style? I mean, what's

14:33

the thing that links it together? Yeah.

14:35

So there are characteristics within the

14:37

malware itself that points to an

14:39

overlap. There's also infrastructure

14:41

overlap with historic ice ID operations.

14:43

And so when we were taking

14:45

a look at this new Lattrodectus,

14:47

in fact, it looked so similar

14:49

to ice ID

14:51

that initial analysis thought

14:54

Lattrodectus was an variant of the

14:57

ice ID malware. And so there was

14:59

a lot of discussion on various, you

15:01

know, socials and stuff about, oh, what

15:03

is this malware? What's going on? And

15:06

so we were able to, within, you

15:08

know, doing some analysis and

15:10

being able to kind of find and highlight, you

15:12

know, some of those links, there

15:14

was some, you know, like, for example,

15:16

some sort of sophistication involved, right? They

15:19

had various sandbox

15:21

evasion functionality, different encryption

15:24

styles, but fundamentally, we were able to see,

15:27

you know, some of those links. But what

15:29

we don't see, while the links exist in

15:31

the malware, it hasn't reached

15:33

the level of ice ID operations, historic

15:35

ice ID operations, and what we've seen

15:37

from that malware and operators of that

15:40

malware. So it hasn't like one to

15:42

one replaced it. And so it's still

15:44

kind of an open question, like, where

15:46

does this go from

15:48

here? And is this even going

15:51

to continue to be successful? Or is there going to be a

15:53

pivot to something completely different? Like we've

15:55

seen, you know, with the kubat destruction,

15:58

meaning something

16:00

totally completely new. So yeah, it's

16:02

still kind of an open question. And

16:15

now a word from our sponsor, SixSense.

16:18

SixSense provides award-winning cloud-based, automated

16:20

endpoint and vulnerability management solutions

16:23

to streamline IT and security

16:25

operations. With

16:27

its advanced platform, businesses gain complete

16:29

visibility and control over their infrastructure,

16:32

reducing IT and security risks

16:35

and optimizing operational efficiency. With

16:38

SixSense, you'll get real-time

16:40

alerts, risk-based vulnerability prioritization

16:42

and remediation, and

16:44

an intuitive automation and orchestration engine so

16:47

you can focus on your core business

16:49

goals. Confident in

16:51

the knowledge that your enterprise is

16:54

secure, compliant and running smoothly. To

16:57

learn why enterprises choose

16:59

SixSense, visit sixsense.com. When

17:08

you think about Lattreductus and its

17:10

place in the malware ecosystem, how

17:12

serious a threat is this, and

17:15

how much energy should folks be putting in

17:17

to protect themselves against it? Well,

17:20

I like to think that, you

17:23

know, there's various tiers in my mind, and again,

17:25

this is just, you know, how I think about

17:27

things. In terms of the

17:31

types of threat actors. And if we have

17:33

threat actors that are initial access brokers that

17:35

are using something new, it's

17:37

definitely worth paying attention to. Because initial access brokers

17:40

are the ones that are responsible for some of

17:42

the most damaging cybercrime

17:44

attacks, ransomware, that costs

17:47

hundreds of millions of dollars. And,

17:49

you know, there's the malware

17:52

that you have to think about, and, you

17:54

know, thinking about defense for the actual, you

17:56

know, like on network defense. But there's also

17:58

thinking about the lead up

18:00

to it, the initial access. So this

18:03

idea of defense and depth to prevent

18:05

not just the installation of potentially Lattredectus

18:07

but any other malware, the threat actors

18:09

that are initial access brokers are going

18:11

to be using because Lattredectus is just

18:13

one. We have seen, for

18:16

example, with the Qbot disruption, CicaBot

18:18

being that replacement. The

18:22

malware might change, but

18:24

if we're looking at initial access

18:26

brokers, their experimentation,

18:29

their sophistication, all

18:31

that they're doing to just try

18:34

and compromise organizations, it's

18:36

always worth paying attention to when they use something new.

18:39

So what's the main takeaway here, Cilina? I mean,

18:41

is there common protections for Lattredectus,

18:45

or does it mean something specific if

18:47

you see that kind of thing in

18:49

your environment? So I would

18:51

say that with Lattredectus in particular, I

18:53

have to say the community has really

18:56

come together to do a lot of

18:58

really great research into this particular malware.

19:00

Proofpoint actually published a blog in collaboration

19:02

with Team Cymru looking at this particular

19:04

malware and its infrastructure. That was pretty

19:06

interesting to see a lot of some

19:08

of the overlap of historic IceID operations.

19:11

But when there is something like an

19:15

initial access type of malware that is

19:17

identified, that's always something that

19:20

should be a high priority

19:22

investigation. As we've seen

19:24

historically, certainly with IceID, things like Qbot,

19:26

the access to ultimate ransomware delivery, the

19:29

relationship is there. I think the DFIR

19:31

report recently came out with an example

19:33

of an IceID infection with the time

19:35

to ransomware being 29 days. The

19:39

whole cycle and the activity is there. There's going

19:41

to be likely, especially

19:44

if we're talking about initial access brokers, there's going to

19:46

be the initial malware delivery, there's

19:48

going to be data exfiltration, there's going

19:50

to be lateral movement. They're going to try

19:52

and spread themselves as much as

19:55

they can before actually leading

19:57

to ultimate encryption. I

20:00

mean, I think the jury's still

20:02

out on like, what does Latch

20:04

Adectus mean? But it's a great

20:06

example of the continued experimentation of

20:11

initial access brokers, the continued use

20:13

of new tools, new resources, trying

20:15

to adopt new techniques to see

20:17

what works best. And they're

20:20

always out there trying to compromise computers

20:22

and make as much money as possible.

20:30

Well, Selena, thank you for sharing all

20:32

of this information with us. We

20:34

are excited to be part of Only Malware

20:36

in the building. Rick

20:38

and I, we do have to run.

20:40

We are meeting up later today to

20:42

play a exciting game of Pong together.

20:45

So I believe I'm ahead, Dave. I

20:48

believe I'm ahead. Well, right.

20:50

But before we do, we both need a

20:52

nap. So thanks

20:55

so much. And we will

20:57

see you here next month. Thanks,

21:00

you guys. I'm very much looking forward to

21:02

it. And thanks to you, all

21:04

our listeners. For tuning in to Only Malware

21:07

in the Building. Hey,

21:09

listeners. We're

21:28

always looking for ways to improve

21:30

the N2K cyberwire network and maintain

21:32

the intelligence driven news experience that

21:34

keeps you in the know on

21:36

the latest developments in cybersecurity. We've

21:39

launched our 2024 audience survey and

21:42

would love for you to take a few minutes to share

21:44

your feedback. And hey, there's even a chance to win

21:46

a $100 Amazon gift card if

21:49

you complete the survey. Visit

21:52

cyberwire.com/survey. That's

21:54

cyberwire.com/survey

21:57

and share your feedback now. you