Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:02
You listening to the cyber wire network
0:04
powered by and two k. This
0:11
week on only malware in the building. You
0:13
know I'm in a make a note of and
0:16
share with my detection team that they should all
0:18
take clothes and their u be a drive. Cloves
0:20
of garlic. I mean, it couldn't
0:22
hurt. I just upgraded my Modem
0:24
Daves. I don't want to hear
0:26
any graph above our small i
0:28
am on this particular Bristol. We
0:30
sound impulsively brilliant. Even malware has
0:33
multiple names for the same type
0:35
of malware. It's yeah, To keep
0:37
him straight, Do we understand the
0:39
circumstances of how it just fell off the
0:41
radar? Only I feel. Share your depth.
0:43
They've. No.
0:48
I'm. Sorry. Welcome.
0:59
In you've entered only malware in
1:02
the building. Join us each month
1:04
to sip t unsolved mysteries About
1:06
today's most interesting threat: I'm your
1:08
host so realize then Proof point
1:11
threat Researcher: Being a security researcher
1:13
is a bit like being a
1:15
detective. You gather clues, analyze the
1:18
evidence, and consult the experts to
1:20
solve the cyber puzzle. Inspired by
1:22
Mabel More and the residents of
1:24
New York's exclusive Upper West Side
1:27
residents I alongside and to came.
1:29
That works. Dame Bednar and Break
1:31
Howard uncover the stories behind
1:33
notable cyber attacks. Don't
1:51
struggle to align your organization cyber
1:53
security with business risk. Get the
1:56
only solution that goes beyond reacting
1:58
to threats with vulnerability. and
2:00
risk monitoring. You need the next
2:02
evolution of MDR and
2:04
only Critical Start delivers it. Critical
2:07
Start doesn't just monitor and respond
2:09
to threats. They put
2:11
you in control by detecting
2:13
suspicious activities, quickly responding to
2:15
contained threats and identifying your
2:17
most critical assets and protecting
2:19
them against vulnerabilities and exposures.
2:22
With continuous visibility, expert guidance
2:24
and measurable risk reduction, Critical
2:26
Start has redefined what it
2:28
means to manage cyber risk. Demonstrate
2:31
provable security maturity to your
2:33
leadership while positioning your program to
2:35
achieve the greatest risk reduction
2:37
per dollar spent. Stop
2:40
fearing risk and start managing it with
2:42
Critical Start. Visit criticalstart.com
2:44
and request a
2:46
demo today. That's
2:48
criticalstart.com. Today,
3:00
we're talking
3:03
about a curious case of
3:06
the missing iCITY. iCITY
3:08
is a malware originally classified as a
3:11
banking Trojan and first observed in 2017.
3:14
It also acts as a loader for
3:16
other malware, including ransomware and was a
3:19
favored payload used by multiple cyber criminal
3:21
threat actors until the fall of 2023.
3:25
Then it all but disappeared. In
3:27
its place, a new threat called
3:29
Latchtrodactis. Named after a
3:31
spider, this new malware created by the
3:34
same people as iCITY is now poised
3:36
to take over where iCITY melted off.
3:39
I'm a little bit grossed out
3:41
about all this. First iCITY, iCITY,
3:43
NRT, that you mentioned
3:45
at the top of the show. Does that mean there's
3:47
a spider in the cup also? Oh my God. No,
3:51
but I highly recommend not
3:53
googling this malware name, especially
3:55
if you have a fear of spiders like I
3:57
do. Ha ha ha ha. I'm
4:01
sorry. I'm sorry. I
4:03
was um, I was
4:05
just enjoying a delicious dip. Selena
4:09
I want to apologize that
4:12
Rick and I were both late to this
4:14
recording session. We were waiting for Rick's dial-up
4:16
to connect. I
4:18
just upgraded my modem Dave, so I don't want
4:20
to hear any crap about how slow I am
4:22
on this particular episode. Sure,
4:25
okay, absolutely. Guys, guys, guys,
4:27
we have to be cool. Think about our audience.
4:31
Well, let's start out, I mean,
4:33
talking about Iced ID. So what
4:35
is Iced ID and how did
4:38
it originally emerge into the cybersecurity
4:40
landscape? Iced
4:47
ID has been around. Like
4:50
I mentioned, it was initially classified as
4:52
a banking malware. It was first observed
4:54
in 2017. It
4:57
was really part of that banking
4:59
Trojans family. There was this era
5:01
of cybercrime where you had things
5:04
like Iced ID, Drydex, all came
5:06
on scene that were classified as
5:08
banking malware. They were going after
5:10
banking credentials, real money. And then
5:12
it started acting as a loader
5:15
for other malware, including ransomware. It
5:17
was used by multiple
5:19
prominent initial access brokers. So essentially
5:21
those threat actors that are trying
5:23
to gain access to compromise the
5:25
system and then deliver ransomware. Emotet,
5:28
for example, was C delivering Iced
5:30
ID. Can I just
5:32
pause and say that the reason I love cybersecurity is
5:34
that all the cool names that we come up with
5:36
to describe all this stuff. I mean, you write a
5:38
lot of maybe nine different malware names, right, that is
5:41
on the tip of the tongue of everybody. And that's
5:44
the reason I'm here. OK, Selena.
5:47
You know what, I feel like it has
5:50
gone slightly overboard, though, you know, it's
5:52
hard to keep them all in my head. There's
5:54
just there's just so many and the names are so
5:56
chaotic. Yeah, I wish there
5:59
was one organization. that could take responsibility
6:01
for being the defining name
6:03
because every malware actor
6:05
has half a dozen different names. Very
6:09
often it is my job to say them all and
6:12
keep them straight. It is
6:14
not easy. Well, even
6:17
Ice ID was AKA BachBot in
6:19
the early days. Even
6:22
malware has multiple names for the same
6:24
type of malware. It's yeah, you
6:26
have to keep them straight. Sounds like
6:28
a robot chicken. Yeah. What
6:31
I love about it though is that we have
6:33
malware names and we have
6:35
hacker names. We have hacker group
6:37
names and sometimes they're the
6:40
same names. And then just like talking about
6:42
getting confused. I have no idea what we're
6:44
talking about most of the time. Oh,
6:47
Rick. Rick,
6:49
you don't give yourself enough credit. Selena, I
6:51
think that it is safe to say that
6:54
Rick is a security genius. Not
6:57
particularly true, but safe. Hey,
7:01
I am in the presence of greatness right now.
7:05
Oh, stop. Go on. Please, please
7:07
tell me more. Tell me
7:09
more. Only if you'll share your dips, Dave.
7:12
Okay. No, I'm sorry. It's
7:14
not enough. Well,
7:17
you obviously haven't read my contract.
7:19
There will be no sharing of
7:22
the dips. So all
7:24
right. So we've talked about Ice ID.
7:26
So what happened to Ice ID? Do
7:30
we understand the circumstances of how it just fell
7:32
off the radar? That's a
7:34
very good question. So
7:44
it was pretty prominent. And
7:47
back in early 2023, we actually saw
7:49
a new variant of Ice ID called
7:51
Ice ID Lite kind of removed some
7:53
of the functionality of the initial type
7:55
of malware. So we thought that continuing
7:58
development, going all in. on this
8:00
type of malware. And then in the
8:02
fall, it really just sort of stopped appearing
8:05
in campaign data. We were
8:07
asking ourselves at proof point, you know,
8:09
fellow researchers being like, hey, you know,
8:11
what's going on? Because the actors that
8:13
use ICE ID, these initial access brokers,
8:15
they're still active. And it coincided,
8:18
the fall of ICE ID,
8:21
sort of coincided with in November 2023, this,
8:24
you know, new malware that
8:26
kind of came on the scene. And
8:28
initially people thought it was another new
8:30
variant of ICE ID. But great, this
8:32
is this is this is interesting. But
8:34
it turned out to be something completely
8:36
different. It was Latchodectus, but suspected to
8:38
be developed by the same folks who
8:41
created ICE ID. So this
8:43
top dog of initial access malware
8:45
that had been used for so
8:47
long, just sort of disappeared and
8:49
in its place rose Latchodectus. Did
8:51
Latchodectus have some sort of significant upgrade
8:54
to it that caused them to abandon
8:56
the other one? Or I mean, it
8:58
seems weird that we just take something
9:00
that was working and go to something different.
9:02
Great question. Not really. And
9:05
actually, if you ask my colleague, Pym
9:07
Churbach, who did all of the malware
9:09
reversing on Latchodectus, he thinks it's a
9:11
little basic. He's not very impressed.
9:14
Wow. With this particular malware, he would
9:17
like the threat actors to try a
9:19
little bit harder. Oh,
9:21
don't say that. It's
9:24
amazing. More fun for him. Yeah, let's
9:26
taunt them, Selena. That would be great
9:28
for all of us. You're right. You're
9:30
right. I know. So Latchodectus is
9:32
the version of me dying up to the internet
9:34
with my modem. Is that what you're telling me?
9:37
I don't know if it's quite that because it's still
9:39
a very well-baked use by initial access brokers,
9:42
right? Like we're still seeing it being used
9:44
side for actors, although not as much as
9:46
ICE ID, which is kind of interesting. You
9:48
know, ICE ID was really up there like
9:50
with Q bot, right? Like you had these
9:52
sort of, you know, frequent, highly
9:55
regarded now, highly used now, where's that typically
9:57
led to ransomware. I mean, I said, we
10:00
saw throughout its life cycle
10:02
leading to May, Sotenoki, the Gregor,
10:04
the D4 report just published a
10:06
couple of posts recently about it
10:08
going to Nokoyawa, Dragon Locker, ransomware.
10:10
So it was really kind of
10:12
a key component in many, many
10:15
ransomware attacks. So it's kind of
10:17
interesting that it just sort of
10:19
fell off the landscape. And Quadraddectus
10:21
came back. We only see it with a couple
10:24
of our set actors, but it's still like, you
10:26
know, there's just so much of that like, what
10:28
comes next? I said he was so prominent
10:31
and then it just kind of disappeared and now we're
10:33
all kind of thinking like, okay, what's going on?
10:35
And
10:51
now a word from our sponsor
10:53
Zscaler, the leader in cloud security.
10:56
Cyber attackers are using AI
10:58
in creative ways to compromise
11:00
users and breach organizations in
11:03
a security landscape where you must fight
11:05
AI with AI. The best AI protection
11:07
comes from having the best data. Zscaler
11:10
has extended its zero trust architecture
11:12
with powerful AI engines that are
11:14
trained and tuned by 500 trillion
11:17
daily signals. Learn more
11:20
about Zscaler Zero Trust Plus
11:22
AI to prevent ransomware and
11:24
AI attacks. Experience
11:26
your world secured.
11:28
Visit zscaler.com/zero trust
11:31
AI. This
11:39
is all coinciding with just chaotic
11:42
vibes of e-crime landscape. So
11:44
there's a lot of outstanding
11:46
questions I feel like in
11:48
general. Right. So I mean,
11:50
you know, sometimes we talk about maybe
11:52
there's internal strife among the
11:54
team that could have been working on Iced
11:56
ID. And so a handful of them break
11:59
off and decide. to do this
12:01
new thing or sometimes they'll
12:03
try to throw law enforcement off the
12:05
trail and say, oh look, we're not
12:07
them anymore, this is a completely new
12:10
group. Do we have any indications of
12:12
what might have been prompting this name
12:14
change or is this still just a
12:16
mystery? As far as we know,
12:18
it's still just a mystery. I do
12:20
think that you bring up a very good point
12:22
though when you're talking about... Don't
12:24
encourage him, Selena. I mean, come on, he
12:27
thinks he's the Edward R. Murrow of malware.
12:29
Okay, come on, it's not that important. Selena,
12:33
don't listen to him. For him,
12:35
virus protection includes garlic in a wooden
12:37
stake. And it
12:39
has been effective ever since, I'm just saying.
12:42
Okay. As we were saying,
12:44
Selena, before we were so rudely
12:47
interrupted... You know, I'm
12:49
going to make a note of that and share
12:51
it with my detection team that they should all
12:53
put clothes in their USB drive, clothes of garlic.
12:56
I mean, it couldn't hurt. Just in
12:58
case, taking lessons from the
13:01
older folks, how we
13:03
used to combat malware back in the
13:05
day. Speak for yourself, Selena. Speak
13:07
for yourself. But
13:10
no, I mean, I think that is a good
13:12
point if we think about the characters
13:15
who are in the cybercrime
13:17
landscape. And there is kind
13:19
of drama and strife often. I think
13:21
the Conti leaks is a great example
13:23
of showing how different
13:26
threat actors interact with each other, how
13:28
they're kind of oftentimes in like a
13:30
business hierarchy. They have people
13:32
working on HR. They have complaints
13:35
about fellow employees and with the fracturing
13:37
of Conti kind of splintering into these
13:40
different groups. And so,
13:42
I think he's kind of part of that overall
13:45
cinematic universe of ransomware
13:48
cybercrime. And there are a
13:51
little bit, I would love to see like
13:53
a real housewives of cybercrime.
13:57
Wait, that's a different show. That's
13:59
a completely different show. show. You're
14:01
right. You're right. That's next
14:04
season. Sorry. Sorry. Get the FBI on
14:06
the line. Yeah.
14:08
To figure out, you know, what is the
14:10
motivation? How did they react to things? What,
14:12
you know, just hearing the gossip
14:15
and you know, all of the
14:17
wide decisions are made. I'm
14:20
still confused about why a proof point
14:22
has linked the two pieces of my
14:24
word together. The ice ID and the
14:26
Lattrodectus. Is there a common code elements
14:28
there or it looks
14:31
like the same kind of coding style? I mean, what's
14:33
the thing that links it together? Yeah.
14:35
So there are characteristics within the
14:37
malware itself that points to an
14:39
overlap. There's also infrastructure
14:41
overlap with historic ice ID operations.
14:43
And so when we were taking
14:45
a look at this new Lattrodectus,
14:47
in fact, it looked so similar
14:49
to ice ID
14:51
that initial analysis thought
14:54
Lattrodectus was an variant of the
14:57
ice ID malware. And so there was
14:59
a lot of discussion on various, you
15:01
know, socials and stuff about, oh, what
15:03
is this malware? What's going on? And
15:06
so we were able to, within, you
15:08
know, doing some analysis and
15:10
being able to kind of find and highlight, you
15:12
know, some of those links, there
15:14
was some, you know, like, for example,
15:16
some sort of sophistication involved, right? They
15:19
had various sandbox
15:21
evasion functionality, different encryption
15:24
styles, but fundamentally, we were able to see,
15:27
you know, some of those links. But what
15:29
we don't see, while the links exist in
15:31
the malware, it hasn't reached
15:33
the level of ice ID operations, historic
15:35
ice ID operations, and what we've seen
15:37
from that malware and operators of that
15:40
malware. So it hasn't like one to
15:42
one replaced it. And so it's still
15:44
kind of an open question, like, where
15:46
does this go from
15:48
here? And is this even going
15:51
to continue to be successful? Or is there going to be a
15:53
pivot to something completely different? Like we've
15:55
seen, you know, with the kubat destruction,
15:58
meaning something
16:00
totally completely new. So yeah, it's
16:02
still kind of an open question. And
16:15
now a word from our sponsor, SixSense.
16:18
SixSense provides award-winning cloud-based, automated
16:20
endpoint and vulnerability management solutions
16:23
to streamline IT and security
16:25
operations. With
16:27
its advanced platform, businesses gain complete
16:29
visibility and control over their infrastructure,
16:32
reducing IT and security risks
16:35
and optimizing operational efficiency. With
16:38
SixSense, you'll get real-time
16:40
alerts, risk-based vulnerability prioritization
16:42
and remediation, and
16:44
an intuitive automation and orchestration engine so
16:47
you can focus on your core business
16:49
goals. Confident in
16:51
the knowledge that your enterprise is
16:54
secure, compliant and running smoothly. To
16:57
learn why enterprises choose
16:59
SixSense, visit sixsense.com. When
17:08
you think about Lattreductus and its
17:10
place in the malware ecosystem, how
17:12
serious a threat is this, and
17:15
how much energy should folks be putting in
17:17
to protect themselves against it? Well,
17:20
I like to think that, you
17:23
know, there's various tiers in my mind, and again,
17:25
this is just, you know, how I think about
17:27
things. In terms of the
17:31
types of threat actors. And if we have
17:33
threat actors that are initial access brokers that
17:35
are using something new, it's
17:37
definitely worth paying attention to. Because initial access brokers
17:40
are the ones that are responsible for some of
17:42
the most damaging cybercrime
17:44
attacks, ransomware, that costs
17:47
hundreds of millions of dollars. And,
17:49
you know, there's the malware
17:52
that you have to think about, and, you
17:54
know, thinking about defense for the actual, you
17:56
know, like on network defense. But there's also
17:58
thinking about the lead up
18:00
to it, the initial access. So this
18:03
idea of defense and depth to prevent
18:05
not just the installation of potentially Lattredectus
18:07
but any other malware, the threat actors
18:09
that are initial access brokers are going
18:11
to be using because Lattredectus is just
18:13
one. We have seen, for
18:16
example, with the Qbot disruption, CicaBot
18:18
being that replacement. The
18:22
malware might change, but
18:24
if we're looking at initial access
18:26
brokers, their experimentation,
18:29
their sophistication, all
18:31
that they're doing to just try
18:34
and compromise organizations, it's
18:36
always worth paying attention to when they use something new.
18:39
So what's the main takeaway here, Cilina? I mean,
18:41
is there common protections for Lattredectus,
18:45
or does it mean something specific if
18:47
you see that kind of thing in
18:49
your environment? So I would
18:51
say that with Lattredectus in particular, I
18:53
have to say the community has really
18:56
come together to do a lot of
18:58
really great research into this particular malware.
19:00
Proofpoint actually published a blog in collaboration
19:02
with Team Cymru looking at this particular
19:04
malware and its infrastructure. That was pretty
19:06
interesting to see a lot of some
19:08
of the overlap of historic IceID operations.
19:11
But when there is something like an
19:15
initial access type of malware that is
19:17
identified, that's always something that
19:20
should be a high priority
19:22
investigation. As we've seen
19:24
historically, certainly with IceID, things like Qbot,
19:26
the access to ultimate ransomware delivery, the
19:29
relationship is there. I think the DFIR
19:31
report recently came out with an example
19:33
of an IceID infection with the time
19:35
to ransomware being 29 days. The
19:39
whole cycle and the activity is there. There's going
19:41
to be likely, especially
19:44
if we're talking about initial access brokers, there's going to
19:46
be the initial malware delivery, there's
19:48
going to be data exfiltration, there's going
19:50
to be lateral movement. They're going to try
19:52
and spread themselves as much as
19:55
they can before actually leading
19:57
to ultimate encryption. I
20:00
mean, I think the jury's still
20:02
out on like, what does Latch
20:04
Adectus mean? But it's a great
20:06
example of the continued experimentation of
20:11
initial access brokers, the continued use
20:13
of new tools, new resources, trying
20:15
to adopt new techniques to see
20:17
what works best. And they're
20:20
always out there trying to compromise computers
20:22
and make as much money as possible.
20:30
Well, Selena, thank you for sharing all
20:32
of this information with us. We
20:34
are excited to be part of Only Malware
20:36
in the building. Rick
20:38
and I, we do have to run.
20:40
We are meeting up later today to
20:42
play a exciting game of Pong together.
20:45
So I believe I'm ahead, Dave. I
20:48
believe I'm ahead. Well, right.
20:50
But before we do, we both need a
20:52
nap. So thanks
20:55
so much. And we will
20:57
see you here next month. Thanks,
21:00
you guys. I'm very much looking forward to
21:02
it. And thanks to you, all
21:04
our listeners. For tuning in to Only Malware
21:07
in the Building. Hey,
21:09
listeners. We're
21:28
always looking for ways to improve
21:30
the N2K cyberwire network and maintain
21:32
the intelligence driven news experience that
21:34
keeps you in the know on
21:36
the latest developments in cybersecurity. We've
21:39
launched our 2024 audience survey and
21:42
would love for you to take a few minutes to share
21:44
your feedback. And hey, there's even a chance to win
21:46
a $100 Amazon gift card if
21:49
you complete the survey. Visit
21:52
cyberwire.com/survey. That's
21:54
cyberwire.com/survey
21:57
and share your feedback now. you
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More