Wizard Spider

Wizard Spider is a financially motivated criminal group that has been conducting ransomware campaigns since at least August 2018 against a variety of organizations, ranging from major corporations to hospitals.^[1]^[2]

ID: G0102

Associated Groups: UNC1878, TEMP.MixMaster, Grim Spider

Contributors: Oleksiy Gayda

Version: 1.2

Created: 12 May 2020

Last Modified: 10 November 2020

Version Permalink

Live Version

Associated Group Descriptions

Name	Description
UNC1878	^[3]
TEMP.MixMaster	^[4]
Grim Spider	^[1]^[5]

Techniques Used

Domain	ID		Name	Use
Enterprise	T1087	.002	Account Discovery: Domain Account	Wizard Spider has identified domain admins through the use of "net group ‘Domain admins’" commands.^[6]
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	Wizard Spider has used HTTP for network communications.^[5]
Enterprise	T1547	.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	Wizard Spider has has established persistence via the Registry key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and a shortcut within the startup folder.^[2]^[3]
		.004	Boot or Logon Autostart Execution: Winlogon Helper DLL	Wizard Spider has established persistence using Userinit by adding the Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.^[3]
Enterprise	T1059	.001	Command and Scripting Interpreter: PowerShell	Wizard Spider has used macros to execute PowerShell scripts to download malware on victim's machines.^[5] It has also used PowerShell to execute commands and move laterally through a victim network.^[2]^[3]^[7]
		.003	Command and Scripting Interpreter: Windows Command Shell	Wizard Spider has used cmd.exe to execute commands on a victim's machine.^[6]
Enterprise	T1543	.003	Create or Modify System Process: Windows Service	Wizard Spider has installed TrickBot as a service named ControlServiceA in order to establish persistence.^[5]
Enterprise	T1074		Data Staged	Wizard Spider has collected and staged credentials and network enumeration information, using the networkdll and psfin TrickBot modules.^[5]
Enterprise	T1482		Domain Trust Discovery	Wizard Spider has used `AdFind.exe` to collect information about Active Directory organizational units and trust objects.^[4]
Enterprise	T1048	.003	Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	Wizard Spider has exfiltrated victim information using FTP.^[6]^[8]
Enterprise	T1041		Exfiltration Over C2 Channel	Wizard Spider has exfiltrated domain credentials and network enumeration information over command and control (C2) channels.^[5]
Enterprise	T1210		Exploitation of Remote Services	Wizard Spider has exploited or attempted to exploit Zerologon (CVE-2020-1472) and EternalBlue (MS17-010) vulnerabilities.^[3]^[6]^[9]
Enterprise	T1133		External Remote Services	Wizard Spider has accessed victim networks by using stolen credentials to access the corporate VPN infrastructure.^[3]
Enterprise	T1222	.001	File and Directory Permissions Modification: Windows File and Directory Permissions Modification	Wizard Spider has used the icacls command to modify access control to backup servers, providing them with full control of all the system folders.^[10]
Enterprise	T1562	.001	Impair Defenses: Disable or Modify Tools	Wizard Spider has shut down or uninstalled security applications on victim systems that might prevent ransomware from executing.^[2]^[3]^[6]
Enterprise	T1070	.004	Indicator Removal on Host: File Deletion	Wizard Spider has used file deletion to remove some modules and configurations from an infected host after use.^[5]
Enterprise	T1570		Lateral Tool Transfer	Wizard Spider has used stolen credentials to copy tools into the `%TEMP%` directory of domain controllers.^[5]
Enterprise	T1557	.001	Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay	Wizard Spider has used the Invoke-Inveigh PowerShell cmdlets, likely for name service poisoning.^[3]
Enterprise	T1036	.004	Masquerading: Masquerade Task or Service	Wizard Spider has used scheduled tasks to install TrickBot, using task names to appear legitimate such as WinDotNet, GoogleTask, or Sysnetsf.^[5] It has also used common document file names for other malware binaries.^[3]
Enterprise	T1112		Modify Registry	Wizard Spider has modified the Registry key `HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest` by setting the `UseLogonCredential` registry value to `1` in order to force credentials to be stored in clear text in memory.^[5]
Enterprise	T1135		Network Share Discovery	Wizard Spider has used the "net view" command to locate mapped network shares.^[2]
Enterprise	T1027		Obfuscated Files or Information	Wizard Spider used Base64 encoding to obfuscate an Empire service and PowerShell commands.^[4]^[6]
Enterprise	T1588	.003	Obtain Capabilities: Code Signing Certificates	Wizard Spider obtained a code signing certificate signed by Digicert for some of its malware.^[8]
Enterprise	T1003	.003	OS Credential Dumping: NTDS	Wizard Spider has gained access to credentials via exported copies of the ntds.dit Active Directory database.^[3]
		.002	OS Credential Dumping: Security Account Manager	Wizard Spider has acquired credentials from the SAM/SECURITY registry hives.^[3]
Enterprise	T1069	.002	Permission Groups Discovery: Domain Groups	Wizard Spider has used `AdFind.exe` to collect information about Active Directory groups and accounts.^[4]^[6]^[8]^[7]
Enterprise	T1566	.001	Phishing: Spearphishing Attachment	Wizard Spider has used spearphishing attachments to deliver Microsoft documents containing macros or PDFs containing malicious links to download either Emotet, Bokbot, TrickBot, or Bazar.^[5]^[7]
		.002	Phishing: Spearphishing Link	Wizard Spider has sent phishing emails containing a link to an actor-controlled Google Drive document or other free online file hosting services.^[2]^[8]
Enterprise	T1055	.001	Process Injection: Dynamic-link Library Injection	Wizard Spider has injected malicious DLLs into memory with read, write, and execute permissions.^[2]^[8]
Enterprise	T1021	.001	Remote Services: Remote Desktop Protocol	Wizard Spider has used RDP for lateral movement.^[5]^[2]^[8]
		.006	Remote Services: Windows Remote Management	Wizard Spider has used Window Remote Management to move laterally through a victim network.^[2]
		.002	Remote Services: SMB/Windows Admin Shares	Wizard Spider has used SMB to drop Cobalt Strike Beacon on a domain controller for lateral movement.^[8]^[6]
Enterprise	T1018		Remote System Discovery	Wizard Spider has used networkdll for network discovery and psfin specifically for financial and point of sale indicators. Wizard Spider has also used `AdFind.exe` and `nltest/dclist` to enumerate domain computers, including the domain controller.^[4]^[5]^[3]^[7]^[6]
Enterprise	T1053	.005	Scheduled Task/Job: Scheduled Task	Wizard Spider has used scheduled tasks establish persistence for TrickBot and other malware.^[5]^[2]^[3]^[8]
Enterprise	T1489		Service Stop	Wizard Spider has used taskkill.exe and net.exe to stop backup, catalog, cloud, and other services prior to network encryption.^[6]
Enterprise	T1518	.001	Software Discovery: Security Software Discovery	Wizard Spider has used WMI to identify anti-virus products installed on a victim's machine.^[6]
Enterprise	T1558	.003	Steal or Forge Kerberos Tickets: Kerberoasting	Wizard Spider has used Rubeus, MimiKatz Kerberos module, and the Invoke-Kerberoast cmdlet to steal AES hashes.^[6]^[3]^[2]^[8]
Enterprise	T1553	.002	Subvert Trust Controls: Code Signing	Wizard Spider has used Digicert code-signing certificates for some of its malware.^[8]
Enterprise	T1082		System Information Discovery	Wizard Spider has used "systeminfo" and similar commands to acquire detailed configuration information of a victim machine.^[6]
Enterprise	T1016		System Network Configuration Discovery	Wizard Spider has used "ipconfig" to identify the network configuration of a victim machine.^[10]
Enterprise	T1033		System Owner/User Discovery	Wizard Spider has used "whoami" to identify the local user and their privileges.^[10]
Enterprise	T1569	.002	System Services: Service Execution	Wizard Spider has used services.exe to execute scripts and executables during lateral movement within a victim network.^[6]^[9]
Enterprise	T1204	.002	User Execution: Malicious File	Wizard Spider has lured victims to execute malware with spearphishing attachments containing macros to download either Emotet, Bokbot, or TrickBot.^[5]
		.001	User Execution: Malicious Link	Wizard Spider has lured victims into clicking a malicious link delivered through spearphishing.^[2]
Enterprise	T1078		Valid Accounts	Wizard Spider has used valid credentials for privileged accounts with the goal of accessing domain controllers.^[5]
		.002	Domain Accounts	Wizard Spider has used administrative accounts, including Domain Admin, to move laterally within a victim network.^[3]
Enterprise	T1047		Windows Management Instrumentation	Wizard Spider has used WMI and LDAP queries for network discovery and to move laterally.^[5]^[2]^[3]^[7]

Software

ID	Name	References	Techniques
S0552	AdFind	^[4]^[6]^[8]^[7]	Account Discovery: Domain Account, Domain Trust Discovery, Permission Groups Discovery: Domain Groups, Remote System Discovery, System Network Configuration Discovery
S0521	BloodHound	^[2]^[3]^[10]	Account Discovery: Domain Account, Account Discovery: Local Account, Archive Collected Data, Command and Scripting Interpreter: PowerShell, Domain Trust Discovery, Native API, Password Policy Discovery, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Remote System Discovery, System Owner/User Discovery
S0154	Cobalt Strike	^[3]^[2]^[6]^[8]^[9]^[10]	Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Token Impersonation/Theft, Access Token Manipulation: Parent PID Spoofing, Access Token Manipulation: Make and Impersonate Token, Account Discovery: Domain Account, Application Layer Protocol, Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, BITS Jobs, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: Python, Commonly Used Port, Create or Modify System Process: Windows Service, Data from Local System, Exploitation for Privilege Escalation, Indicator Removal on Host: Timestomp, Input Capture: Keylogging, Man in the Browser, Multiband Communication, Native API, Network Service Scanning, Network Share Discovery, Obfuscated Files or Information: Indicator Removal from Tools, OS Credential Dumping: Security Account Manager, Process Discovery, Process Injection, Process Injection: Process Hollowing, Protocol Tunneling, Proxy: Internal Proxy, Remote Services: SMB/Windows Admin Shares, Remote Services: Windows Remote Management, Remote Services: SSH, Remote Services: Remote Desktop Protocol, Remote Services: Distributed Component Object Model, Remote System Discovery, Scheduled Transfer, Screen Capture, System Network Configuration Discovery, System Services: Service Execution, Use Alternate Authentication Material: Pass the Hash, Valid Accounts: Local Accounts, Valid Accounts: Domain Accounts, Windows Management Instrumentation
S0024	Dyre	^[11]^[12]^[13]	Application Layer Protocol: Web Protocols, Create or Modify System Process: Windows Service, Data Staged: Local Data Staging, Deobfuscate/Decode Files or Information, Exfiltration Over C2 Channel, Ingress Tool Transfer, Obfuscated Files or Information: Software Packing, Process Injection: Dynamic-link Library Injection, Process Injection, Scheduled Task/Job: Scheduled Task, Software Discovery, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Service Discovery, Virtualization/Sandbox Evasion: System Checks
S0367	Emotet	^[5]^[10]	Account Discovery: Email Account, Archive Collected Data, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Brute Force: Password Guessing, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Create or Modify System Process: Windows Service, Credentials from Password Stores: Credentials from Web Browsers, Email Collection: Local Email Collection, Encrypted Channel: Asymmetric Cryptography, Exfiltration Over C2 Channel, Exploitation of Remote Services, Network Sniffing, Non-Standard Port, Obfuscated Files or Information, Obfuscated Files or Information: Software Packing, OS Credential Dumping: LSASS Memory, Phishing: Spearphishing Link, Phishing: Spearphishing Attachment, Process Discovery, Process Injection: Dynamic-link Library Injection, Remote Services: SMB/Windows Admin Shares, Scheduled Task/Job: Scheduled Task, Unsecured Credentials: Credentials In Files, User Execution: Malicious Link, User Execution: Malicious File, Valid Accounts: Local Accounts, Windows Management Instrumentation
S0363	Empire	^[5]^[2]^[3]	Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Create Process with Token, Access Token Manipulation: SID-History Injection, Access Token Manipulation, Account Discovery: Domain Account, Account Discovery: Local Account, Application Layer Protocol: Web Protocols, Archive Collected Data, Boot or Logon Autostart Execution: Security Support Provider, Boot or Logon Autostart Execution: Shortcut Modification, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Browser Bookmark Discovery, Clipboard Data, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter, Command and Scripting Interpreter: PowerShell, Commonly Used Port, Create Account: Local Account, Create Account: Domain Account, Create or Modify System Process: Windows Service, Credentials from Password Stores: Credentials from Web Browsers, Domain Policy Modification: Group Policy Modification, Domain Trust Discovery, Email Collection: Local Email Collection, Encrypted Channel: Asymmetric Cryptography, Event Triggered Execution: Accessibility Features, Exfiltration Over C2 Channel, Exfiltration Over Web Service: Exfiltration to Cloud Storage, Exfiltration Over Web Service: Exfiltration to Code Repository, Exploitation for Privilege Escalation, Exploitation of Remote Services, File and Directory Discovery, Hijack Execution Flow: DLL Search Order Hijacking, Hijack Execution Flow: Path Interception by PATH Environment Variable, Hijack Execution Flow: Path Interception by Search Order Hijacking, Hijack Execution Flow: Path Interception by Unquoted Path, Indicator Removal on Host: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Input Capture: Credential API Hooking, Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Native API, Network Service Scanning, Network Share Discovery, Network Sniffing, Obfuscated Files or Information, OS Credential Dumping: LSASS Memory, Process Discovery, Process Injection, Remote Services: Distributed Component Object Model, Remote Services: SSH, Scheduled Task/Job: Scheduled Task, Screen Capture, Software Discovery: Security Software Discovery, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Kerberoasting, Steal or Forge Kerberos Tickets: Silver Ticket, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Services: Service Execution, Trusted Developer Utilities Proxy Execution: MSBuild, Unsecured Credentials: Credentials In Files, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Video Capture, Web Service: Bidirectional Communication, Windows Management Instrumentation
S0002	Mimikatz	^[3]^[2]	Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, OS Credential Dumping: LSASS Memory, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Kerberos Tickets: Silver Ticket, Steal or Forge Kerberos Tickets: Golden Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0039	Net	^[1]^[7]^[3]^[6]^[8]^[9]^[10]	Account Discovery: Local Account, Account Discovery: Domain Account, Create Account: Local Account, Create Account: Domain Account, Indicator Removal on Host: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Local Groups, Permission Groups Discovery: Domain Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0359	Nltest	^[3]^[6]^[8]^[9]^[10]^[7]	Domain Trust Discovery, Remote System Discovery, System Network Configuration Discovery
S0097	Ping	^[6]^[2]^[9]	Remote System Discovery
S0029	PsExec	^[5]^[3]	Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
S0446	Ryuk	^[1]^[7]^[2]^[3]^[6]^[8]^[9]^[10]	Access Token Manipulation, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Data Encrypted for Impact, File and Directory Discovery, Impair Defenses: Disable or Modify Tools, Inhibit System Recovery, Masquerading: Match Legitimate Name or Location, Native API, Process Discovery, Process Injection, Service Stop, System Network Configuration Discovery
S0266	TrickBot	^[5]^[2]^[10]	Account Discovery: Email Account, Account Discovery: Local Account, Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Create or Modify System Process: Windows Service, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Data Encoding: Standard Encoding, Data from Local System, Deobfuscate/Decode Files or Information, Domain Trust Discovery, Encrypted Channel: Symmetric Cryptography, Exfiltration Over C2 Channel, Fallback Channels, File and Directory Discovery, Impair Defenses: Disable or Modify Tools, Ingress Tool Transfer, Input Capture: Credential API Hooking, Man in the Browser, Masquerading, Modify Registry, Native API, Non-Standard Port, Obfuscated Files or Information, Obfuscated Files or Information: Software Packing, Permission Groups Discovery, Phishing: Spearphishing Attachment, Phishing: Spearphishing Link, Process Injection: Process Hollowing, Remote System Discovery, Scheduled Task/Job: Scheduled Task, Subvert Trust Controls: Code Signing, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Service Discovery, Unsecured Credentials: Credentials In Files, Unsecured Credentials: Credentials in Registry, User Execution: Malicious File

References

Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.
DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.
Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.
Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.
John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.
The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.
Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020.

Wizard Spider

Associated Group Descriptions

Enterprise Layer

Techniques Used

Software

References