Josh Hopkins
Last known affiliation: Team Cymru
Bio: Josh Hopkins – Now leading the internal S2 research team, Josh has been a threat researcher with Team Cymru for the past six years. Specialising in the tracking of infrastructure for a diverse target set that includes both nation state and criminal threat actors. Josh has an extensive background in law enforcement and national security investigations.
Josh Hopkins 🗣 | Thibault Seret 🗣
Abstract (click to view)
This talk provides an insight into Team Cymru’s tracking of IcedID over the past 24 months, following its transition from banking trojan to all-round loader malware. We will demonstrate how we identify potential bot and loader C2 infrastructure through our network telemetry data, and provide confirmation of these findings through config extraction.
IcedID (also referred to as BokBot) first appeared in early 2017 as a ‘traditional’ banking trojan leveraging webinjects to steal financial information from victims. Since this time, it has evolved to include dropper functionality, and is now primarily used as a vehicle for the delivery of other tools, such as Cobalt Strike, and the eventual deployment of ransomware.
IcedID itself is commonly delivered in phishing (spam) campaigns, leveraging an assortment of lure types and execution processes.
Rachelle Goddin 🗣 | Josh Hopkins 🗣
Abstract (click to view)
This talk is a continuation on the subject of IcedID, which we presented at Botconf 2023. In our previous talk we covered methodologies for hunting IcedID infrastructure, subsequently explaining how we use these findings to pivot to the management of IcedID using network telemetry data. In doing so we were able to explore the threat actors’ pattern of life, as well as uncovering the tools and services they utilize on a day to day basis.
In this talk we will provide an in-depth overview of IcedID infrastructure and activity behind-the-scenes, covering the intervening period since we last met in Strasbourg. Broken down into key infrastructure elements we will examine how the threat actors have adapted and evolved, to both improve their capabilities and in reaction to changes in the threat landscape.
We will show that during periods of apparent “quiet”, the threat actors continue to access and update their infrastructure, in preparation for an inevitable return. Finally, we will consider the impacts of events such as Operation Duck Hunt on the botnet ecosystem, as well as highlighting potential connections to other emerging threats such as DarkGate (reloaded) and PikaBot.