IcedID Infection Activity: Traffic & Other Indicators with Brad Duncan

Also known as Bokbot, IcedID is one of many families of malware distributed through malicious spam. In this webinar, Brad reviews two email-based distribution campaigns regularly distributing IcedID since November 2021. He reviews recent examples of IcedID infection traffic and reveals indicators that can be identified through Suricata-based signatures. Many prominent malware families use encrypted HTTPS for post-infection command and control (C2) traffic. This HTTPS traffic often uses self-signed certificates that have unusual or unique certificate issuer data. Understanding this and other traffic characteristics can help security professionals quickly identify IcedID. Our goal is to stop these infections before they lead to more dangerous activity like ransomware.

Our Speaker – Brad Duncan

After 21 years in the US Air Force, Brad transitioned to cyber security in 2010, and he is a currently a Threat Intelligence Analyst for Palo Alto Networks Unit 42. Brad specializes in analysis of malware infection traffic. He is also a handler for the Internet Storm Center (ISC) and has posted more than 140 diaries athttp://isc.sans.edu/. Brad routinely blogs technical details and analysis of infection traffic at http://www.malware-traffic-analysis.net/, where he provides traffic analysis exercises and over 1,600 malware and traffic samples to a growing community of information security professionals.