RURussian FederationG0102

WIZARD SPIDERWIZARD SPIDER

Also known as: TEMP.MixMaster · GOLD BLACKBURN · FIN12 · Periwinkle Tempest · DEV-0193 · Storm-0193 · Trickbot LLC · UNC2053 · Pistachio Tempest · DEV-0237 · Storm-0230 · WIZARD SPIDER

Origin
RU
Known aliases
12
Target sectors
5
Attribution
State-sponsored

Profile

Wizard Spider is reportedly associated with Grim Spider and Lunar Spider. The WIZARD SPIDER threat group is the Russia-based operator of the TrickBot banking malware. This group represents a growing criminal enterprise of which GRIM SPIDER appears to be a subset. The LUNAR SPIDER threat group is the Eastern European-based operator and developer of the commodity banking malware called BokBot (aka IcedID), which was first observed in April 2017. The BokBot malware provides LUNAR SPIDER affiliates with a variety of capabilities to enable credential theft and wire fraud, through the use of webinjects and a malware distribution function. GRIM SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return. This methodology, known as “big game hunting,” signals a shift in operations for WIZARD SPIDER, a criminal enterprise of which GRIM SPIDER appears to be a cell. The WIZARD SPIDER threat group, known as the Russia-based operator of the TrickBot banking malware, had focused primarily on wire fraud in the past.

Aliases· 12

TEMP.MixMasterGOLD BLACKBURNFIN12Periwinkle TempestDEV-0193Storm-0193Trickbot LLCUNC2053Pistachio TempestDEV-0237Storm-0230WIZARD SPIDER

Target sectors· 5

DefenseFinancialGovernmentHealthcareTelecommunications

Known victims· 18

  • Australia
  • Bahamas
  • Canada
  • Costa Rica
  • France
  • Germany
  • India
  • Ireland
  • Italy
  • Japan
  • Mexico
  • New Zealand

MITRE ATT&CK Group crosswalk

G0102

References

  1. https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/
  2. https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/
  3. https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/
  4. https://www.crowdstrike.com/blog/wizard-spider-lunar-spider-shared-proxy-module/
  5. https://www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/
  6. https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware
  7. https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html
  8. https://www.secureworks.com/research/threat-profiles/gold-ulrick

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

Actor
GRIM SPIDER
Actor
LUNAR SPIDER
Group
Indrik Spider
Actor
GURU SPIDER
Actor
CIRCUS SPIDER
Software
TrickBot
Sourced from MISP-Galaxy Threat Actor cluster. Curated by Adam Lundqvist, Founder at SQUR.