Bohemian IcedID - Queen of Loaders
2023-02-11 , Track 1- Dragon Suite

This talk provides an insight into Team Cymru's tracking of IcedID over the past 24 months, following its transition from banking trojan to all-round loader malware. We will demonstrate how we identify potential bot and loader C2 infrastructure through our network telemetry data, and provide confirmation of these findings through config extraction.


IcedID (also referred to as BokBot) first appeared in early 2017 as a 'traditional' banking trojan leveraging webinjects to steal financial information from victims. Since this time, it has evolved to include dropper functionality, and is now primarily used as a vehicle for the delivery of other tools, such as Cobalt Strike, and the eventual deployment of ransomware.

IcedID itself is commonly delivered in phishing (spam) campaigns, leveraging an assortment of lure types and execution processes.

IcedID has two stages to its initial command and control (C2) communications, prior to further tools being downloaded on the victim host. Patterns in the way these C2 communications are setup and appear in network telemetry data allow us to follow threat actor campaigns, often from a starting point of 'pre-spam' (before infrastructure is used actively in the wild).

We look forward to sharing more details in our talk!

Now leading the internal S2 research team, Josh has been an analyst with Team Cymru for the past six years. Specialising in the tracking of infrastructure for a diverse target set that includes both nation state and criminal threat actors. Josh has an extensive background in law enforcement and national security investigations.

Thibault Seret is a researcher on the Team Cymru Research Team. He is
currently focusing on crimeware and APT analysis and research, reverse engineering
and threat intelligence, and trying to fight against bad guys. Before joining Team
Cymru, he worked as a Threat Researcher in McAfee’s ATR team, as cybercrime
analyst in a banking institution with the mission to improve the digital forensics
department, and as a CERT analyst at an IT services company where he tried to save
the world with his teammate. He participates a lot in the security community and
CTF competitions and is a teacher for the new generation of cyber defenders. For
the Alliance!