Wizard Spider
Wizard Spider is a financially motivated criminal group that has been conducting ransomware campaigns since at least August 2018 against a variety of organizations, ranging from major corporations to hospitals.[1][2]
Associated Group Descriptions
Name | Description |
---|---|
UNC1878 | |
TEMP.MixMaster | |
Grim Spider |
Techniques Used
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1087 | .002 | Account Discovery: Domain Account |
Wizard Spider has identified domain admins through the use of "net group ‘Domain admins’" commands.[6] |
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Wizard Spider has used HTTP for network communications.[5] |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Wizard Spider has has established persistence via the Registry key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and a shortcut within the startup folder.[2][3] |
.004 | Boot or Logon Autostart Execution: Winlogon Helper DLL |
Wizard Spider has established persistence using Userinit by adding the Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.[3] |
||
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Wizard Spider has used macros to execute PowerShell scripts to download malware on victim's machines.[5] It has also used PowerShell to execute commands and move laterally through a victim network.[2][3][7] |
.003 | Command and Scripting Interpreter: Windows Command Shell |
Wizard Spider has used cmd.exe to execute commands on a victim's machine.[6] |
||
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
Wizard Spider has installed TrickBot as a service named ControlServiceA in order to establish persistence.[5] |
Enterprise | T1074 | Data Staged |
Wizard Spider has collected and staged credentials and network enumeration information, using the networkdll and psfin TrickBot modules.[5] |
|
Enterprise | T1482 | Domain Trust Discovery |
Wizard Spider has used |
|
Enterprise | T1048 | .003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |
Wizard Spider has exfiltrated victim information using FTP.[6][8] |
Enterprise | T1041 | Exfiltration Over C2 Channel |
Wizard Spider has exfiltrated domain credentials and network enumeration information over command and control (C2) channels.[5] |
|
Enterprise | T1210 | Exploitation of Remote Services |
Wizard Spider has exploited or attempted to exploit Zerologon (CVE-2020-1472) and EternalBlue (MS17-010) vulnerabilities.[3][6][9] |
|
Enterprise | T1133 | External Remote Services |
Wizard Spider has accessed victim networks by using stolen credentials to access the corporate VPN infrastructure.[3] |
|
Enterprise | T1222 | .001 | File and Directory Permissions Modification: Windows File and Directory Permissions Modification |
Wizard Spider has used the icacls command to modify access control to backup servers, providing them with full control of all the system folders.[10] |
Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
Wizard Spider has shut down or uninstalled security applications on victim systems that might prevent ransomware from executing.[2][3][6] |
Enterprise | T1070 | .004 | Indicator Removal on Host: File Deletion |
Wizard Spider has used file deletion to remove some modules and configurations from an infected host after use.[5] |
Enterprise | T1570 | Lateral Tool Transfer |
Wizard Spider has used stolen credentials to copy tools into the |
|
Enterprise | T1557 | .001 | Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay |
Wizard Spider has used the Invoke-Inveigh PowerShell cmdlets, likely for name service poisoning.[3] |
Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
Wizard Spider has used scheduled tasks to install TrickBot, using task names to appear legitimate such as WinDotNet, GoogleTask, or Sysnetsf.[5] It has also used common document file names for other malware binaries.[3] |
Enterprise | T1112 | Modify Registry |
Wizard Spider has modified the Registry key |
|
Enterprise | T1135 | Network Share Discovery |
Wizard Spider has used the "net view" command to locate mapped network shares.[2] |
|
Enterprise | T1027 | Obfuscated Files or Information |
Wizard Spider used Base64 encoding to obfuscate an Empire service and PowerShell commands.[4][6] |
|
Enterprise | T1588 | .003 | Obtain Capabilities: Code Signing Certificates |
Wizard Spider obtained a code signing certificate signed by Digicert for some of its malware.[8] |
Enterprise | T1003 | .003 | OS Credential Dumping: NTDS |
Wizard Spider has gained access to credentials via exported copies of the ntds.dit Active Directory database.[3] |
.002 | OS Credential Dumping: Security Account Manager |
Wizard Spider has acquired credentials from the SAM/SECURITY registry hives.[3] |
||
Enterprise | T1069 | .002 | Permission Groups Discovery: Domain Groups |
Wizard Spider has used |
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Wizard Spider has used spearphishing attachments to deliver Microsoft documents containing macros or PDFs containing malicious links to download either Emotet, Bokbot, TrickBot, or Bazar.[5][7] |
.002 | Phishing: Spearphishing Link |
Wizard Spider has sent phishing emails containing a link to an actor-controlled Google Drive document or other free online file hosting services.[2][8] |
||
Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection |
Wizard Spider has injected malicious DLLs into memory with read, write, and execute permissions.[2][8] |
Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
Wizard Spider has used RDP for lateral movement.[5][2][8] |
.006 | Remote Services: Windows Remote Management |
Wizard Spider has used Window Remote Management to move laterally through a victim network.[2] |
||
.002 | Remote Services: SMB/Windows Admin Shares |
Wizard Spider has used SMB to drop Cobalt Strike Beacon on a domain controller for lateral movement.[8][6] |
||
Enterprise | T1018 | Remote System Discovery |
Wizard Spider has used networkdll for network discovery and psfin specifically for financial and point of sale indicators. Wizard Spider has also used |
|
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Wizard Spider has used scheduled tasks establish persistence for TrickBot and other malware.[5][2][3][8] |
Enterprise | T1489 | Service Stop |
Wizard Spider has used taskkill.exe and net.exe to stop backup, catalog, cloud, and other services prior to network encryption.[6] |
|
Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
Wizard Spider has used WMI to identify anti-virus products installed on a victim's machine.[6] |
Enterprise | T1558 | .003 | Steal or Forge Kerberos Tickets: Kerberoasting |
Wizard Spider has used Rubeus, MimiKatz Kerberos module, and the Invoke-Kerberoast cmdlet to steal AES hashes.[6][3][2][8] |
Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
Wizard Spider has used Digicert code-signing certificates for some of its malware.[8] |
Enterprise | T1082 | System Information Discovery |
Wizard Spider has used "systeminfo" and similar commands to acquire detailed configuration information of a victim machine.[6] |
|
Enterprise | T1016 | System Network Configuration Discovery |
Wizard Spider has used "ipconfig" to identify the network configuration of a victim machine.[10] |
|
Enterprise | T1033 | System Owner/User Discovery |
Wizard Spider has used "whoami" to identify the local user and their privileges.[10] |
|
Enterprise | T1569 | .002 | System Services: Service Execution |
Wizard Spider has used services.exe to execute scripts and executables during lateral movement within a victim network.[6][9] |
Enterprise | T1204 | .002 | User Execution: Malicious File |
Wizard Spider has lured victims to execute malware with spearphishing attachments containing macros to download either Emotet, Bokbot, or TrickBot.[5] |
.001 | User Execution: Malicious Link |
Wizard Spider has lured victims into clicking a malicious link delivered through spearphishing.[2] |
||
Enterprise | T1078 | Valid Accounts |
Wizard Spider has used valid credentials for privileged accounts with the goal of accessing domain controllers.[5] |
|
.002 | Domain Accounts |
Wizard Spider has used administrative accounts, including Domain Admin, to move laterally within a victim network.[3] |
||
Enterprise | T1047 | Windows Management Instrumentation |
Wizard Spider has used WMI and LDAP queries for network discovery and to move laterally.[5][2][3][7] |
Software
References
- Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.
- DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.
- Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.
- Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.
- John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.
- The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.
- Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020.
- The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.
- The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020.
- Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020.
- Brewster, T. (2017, May 4). https://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates/#601c77842a0a. Retrieved June 15, 2020.
- Feeley, B. and Stone-Gross, B. (2019, March 20). New Evidence Proves Ongoing WIZARD SPIDER / LUNAR SPIDER Collaboration. Retrieved June 15, 2020.
- Umawing, J. (2019, September 3). TrickBot adds new trick to its arsenal: tampering with trusted texts. Retrieved June 15, 2020.