Wizard Spider

Wizard Spider is financially motivated group that has been conducting ransomware campaigns since at least August 2018, primarily targeting large organizations. [1]

ID: G0102
Associated Groups: TEMP.MixMaster, Grim Spider
Contributors: Oleksiy Gayda
Version: 1.0
Created: 12 May 2020
Last Modified: 16 June 2020

Associated Group Descriptions

Name Description
TEMP.MixMaster [3]
Grim Spider [1][2]

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Wizard Spider has used HTTP for network communications.[2]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Wizard Spider has used macros to execute PowerShell scripts to download malware on victims machines.[2]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Wizard Spider has installed TrickBot as a service named ControlServiceA in order to establish persistence.[2]

Enterprise T1074 Data Staged

Wizard Spider has collected and staged credentials and network enumeration information, using the networkdll and psfin TrickBot modules.[2]

Enterprise T1482 Domain Trust Discovery

Wizard Spider has used AdFind.exe to collect information about Active Directory organizational units and trust objects.[3]

Enterprise T1041 Exfiltration Over C2 Channel

Wizard Spider has exfiltrated domain credentials and network enumeration information over command and control (C2) channels.[2]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

Wizard Spider has used file deletion to remove some modules and configurations from an infected host after use.[2]

Enterprise T1570 Lateral Tool Transfer

Wizard Spider has used stolen credentials to copy tools into the %TEMP% directory of domain controllers.[2]

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

Wizard Spider has used scheduled tasks to install TrickBot, using task names to appear legitimate such as WinDotNet, GoogleTask, or Sysnetsf.[2]

Enterprise T1112 Modify Registry

Wizard Spider has modified the Registry key HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest by setting the UseLogonCredential registry value to 1 in order to force credentials to be stored in clear text in memory.[2]

Enterprise T1027 Obfuscated Files or Information

Wizard Spider used base64 encoding to obfuscate an Empire service.[3]

Enterprise T1069 .002 Permission Groups Discovery: Domain Groups

Wizard Spider has used AdFind.exe to collect information about Active Directory groups and accounts.[3]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Wizard Spider has used spearphishing attachments to deliver Microsoft documents containing macros to download either Emotet, Bokbot, or TrickBot.[2]

Enterprise T1090 Proxy

Wizard Spider has used a module named NewBCtestnDll64 as a reverse SOCKS proxy.[2]

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Wizard Spider has used RDP for lateral movement.[2]

Enterprise T1018 Remote System Discovery

Wizard Spider has used networkdll for network discovery and psfin specifically for financial and point of sale indicators. Wizard Spider has also used AdFind.exe to enumerate domain computers, including the domain controller.[3][2]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Wizard Spider has used scheduled tasks establish persistence for TrickBot.[2]

Enterprise T1204 .002 User Execution: Malicious File

Wizard Spider has lured victims to execute malware with spearphishing attachments containing macros to download either Emotet, Bokbot, or TrickBot.[2]

Enterprise T1078 Valid Accounts

Wizard Spider has used valid credentials for privileged accounts with the goal of accessing domain controllers.[2]

Enterprise T1047 Windows Management Instrumentation

Wizard Spider has used WMI and LDAP queries for network discovery.[2]

Software

ID Name References Techniques
S0024 Dyre

[4][5][6]

Application Layer Protocol: Web Protocols, Create or Modify System Process: Windows Service, Data Staged: Local Data Staging, Deobfuscate/Decode Files or Information, Exfiltration Over C2 Channel, Ingress Tool Transfer, Obfuscated Files or Information: Software Packing, Process Injection: Dynamic-link Library Injection, Process Injection, Scheduled Task/Job: Scheduled Task, Software Discovery, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Service Discovery, Virtualization/Sandbox Evasion: System Checks
S0367 Emotet

[2]

Account Discovery: Email Account, Archive Collected Data, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Brute Force: Password Guessing, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Create or Modify System Process: Windows Service, Credentials from Password Stores: Credentials from Web Browsers, Email Collection: Local Email Collection, Encrypted Channel: Asymmetric Cryptography, Exfiltration Over C2 Channel, Exploitation of Remote Services, Network Sniffing, Non-Standard Port, Obfuscated Files or Information, Obfuscated Files or Information: Software Packing, OS Credential Dumping: LSASS Memory, Phishing: Spearphishing Link, Phishing: Spearphishing Attachment, Process Discovery, Process Injection: Dynamic-link Library Injection, Remote Services: SMB/Windows Admin Shares, Scheduled Task/Job: Scheduled Task, Unsecured Credentials: Credentials In Files, User Execution: Malicious Link, User Execution: Malicious File, Valid Accounts: Local Accounts, Windows Management Instrumentation
S0363 Empire

[2]

Abuse Elevation Control Mechanism: Bypass User Access Control, Access Token Manipulation: Create Process with Token, Access Token Manipulation: SID-History Injection, Access Token Manipulation, Account Discovery: Domain Account, Account Discovery: Local Account, Application Layer Protocol: Web Protocols, Archive Collected Data, Boot or Logon Autostart Execution: Security Support Provider, Boot or Logon Autostart Execution: Shortcut Modification, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Browser Bookmark Discovery, Clipboard Data, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter, Command and Scripting Interpreter: PowerShell, Commonly Used Port, Create Account: Local Account, Create Account: Domain Account, Create or Modify System Process: Windows Service, Credentials from Password Stores: Credentials from Web Browsers, Domain Trust Discovery, Email Collection: Local Email Collection, Encrypted Channel: Asymmetric Cryptography, Event Triggered Execution: Accessibility Features, Exfiltration Over C2 Channel, Exfiltration Over Web Service: Exfiltration to Cloud Storage, Exfiltration Over Web Service: Exfiltration to Code Repository, Exploitation for Privilege Escalation, Exploitation of Remote Services, File and Directory Discovery, Group Policy Modification, Hijack Execution Flow: DLL Search Order Hijacking, Hijack Execution Flow: Path Interception by PATH Environment Variable, Hijack Execution Flow: Path Interception by Search Order Hijacking, Hijack Execution Flow: Path Interception by Unquoted Path, Indicator Removal on Host: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Input Capture: Credential API Hooking, Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Native API, Network Service Scanning, Network Share Discovery, Network Sniffing, Obfuscated Files or Information, OS Credential Dumping: LSASS Memory, Process Discovery, Process Injection, Remote Services: Distributed Component Object Model, Remote Services: SSH, Scheduled Task/Job: Scheduled Task, Screen Capture, Software Discovery: Security Software Discovery, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Kerberoasting, Steal or Forge Kerberos Tickets: Silver Ticket, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Services: Service Execution, Trusted Developer Utilities Proxy Execution: MSBuild, Unsecured Credentials: Credentials In Files, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Video Capture, Web Service: Bidirectional Communication, Windows Management Instrumentation
S0039 Net

[1]

Account Discovery: Local Account, Account Discovery: Domain Account, Create Account: Local Account, Create Account: Domain Account, Indicator Removal on Host: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Local Groups, Permission Groups Discovery: Domain Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0029 PsExec

[2]

Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
S0446 Ryuk

[1]

Access Token Manipulation, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Data Encrypted for Impact, File and Directory Discovery, Impair Defenses: Disable or Modify Tools, Inhibit System Recovery, Masquerading: Match Legitimate Name or Location, Native API, Process Discovery, Process Injection, Service Stop, System Network Configuration Discovery
S0266 TrickBot

[2]

Account Discovery: Email Account, Account Discovery: Local Account, Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Credentials from Password Stores: Credentials from Web Browsers, Data from Local System, Deobfuscate/Decode Files or Information, Domain Trust Discovery, Encrypted Channel: Symmetric Cryptography, File and Directory Discovery, Impair Defenses: Disable or Modify Tools, Ingress Tool Transfer, Input Capture: Credential API Hooking, Man in the Browser, Modify Registry, Native API, Non-Standard Port, Obfuscated Files or Information, Obfuscated Files or Information: Software Packing, Phishing: Spearphishing Attachment, Process Injection: Process Hollowing, Scheduled Task/Job: Scheduled Task, System Information Discovery, System Network Configuration Discovery, System Service Discovery, Unsecured Credentials: Credentials In Files, Unsecured Credentials: Credentials in Registry, User Execution: Malicious File

References