Wizard Spider

Wizard Spider is a financially motivated criminal group that has been conducting ransomware campaigns since at least August 2018 against a variety of organizations, ranging from major corporations to hospitals.[1][2]

ID: G0102
Associated Groups: UNC1878, TEMP.MixMaster, Grim Spider
Contributors: Oleksiy Gayda
Version: 1.3
Created: 12 May 2020
Last Modified: 29 December 2020

Associated Group Descriptions

Name Description
UNC1878

[3]

TEMP.MixMaster

[4]

Grim Spider

[1][5]

Techniques Used

Domain ID Name Use
Enterprise T1087 .002 Account Discovery: Domain Account

Wizard Spider has identified domain admins through the use of "net group ‘Domain admins’" commands.[6]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Wizard Spider has used HTTP for network communications.[5]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Wizard Spider has established persistence via the Registry key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and a shortcut within the startup folder.[2][3]

.004 Boot or Logon Autostart Execution: Winlogon Helper DLL

Wizard Spider has established persistence using Userinit by adding the Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.[3]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Wizard Spider has used macros to execute PowerShell scripts to download malware on victim's machines.[5] It has also used PowerShell to execute commands and move laterally through a victim network.[2][3][7]

.003 Command and Scripting Interpreter: Windows Command Shell

Wizard Spider has used cmd.exe to execute commands on a victim's machine.[6]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Wizard Spider has installed TrickBot as a service named ControlServiceA in order to establish persistence.[5]

Enterprise T1074 Data Staged

Wizard Spider has collected and staged credentials and network enumeration information, using the networkdll and psfin TrickBot modules.[5]

Enterprise T1048 .003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

Wizard Spider has exfiltrated victim information using FTP.[6][8]

Enterprise T1041 Exfiltration Over C2 Channel

Wizard Spider has exfiltrated domain credentials and network enumeration information over command and control (C2) channels.[5]

Enterprise T1210 Exploitation of Remote Services

Wizard Spider has exploited or attempted to exploit Zerologon (CVE-2020-1472) and EternalBlue (MS17-010) vulnerabilities.[3][6][9]

Enterprise T1133 External Remote Services

Wizard Spider has accessed victim networks by using stolen credentials to access the corporate VPN infrastructure.[3]

Enterprise T1222 .001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Wizard Spider has used the icacls command to modify access control to backup servers, providing them with full control of all the system folders.[10]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Wizard Spider has shut down or uninstalled security applications on victim systems that might prevent ransomware from executing.[2][3][6]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

Wizard Spider has used file deletion to remove some modules and configurations from an infected host after use.[5]

Enterprise T1570 Lateral Tool Transfer

Wizard Spider has used stolen credentials to copy tools into the %TEMP% directory of domain controllers.[5]

Enterprise T1557 .001 Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay

Wizard Spider has used the Invoke-Inveigh PowerShell cmdlets, likely for name service poisoning.[3]

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

Wizard Spider has used scheduled tasks to install TrickBot, using task names to appear legitimate such as WinDotNet, GoogleTask, or Sysnetsf.[5] It has also used common document file names for other malware binaries.[3]

Enterprise T1112 Modify Registry

Wizard Spider has modified the Registry key HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest by setting the UseLogonCredential registry value to 1 in order to force credentials to be stored in clear text in memory.[5]

Enterprise T1135 Network Share Discovery

Wizard Spider has used the "net view" command to locate mapped network shares.[2]

Enterprise T1027 Obfuscated Files or Information

Wizard Spider used Base64 encoding to obfuscate an Empire service and PowerShell commands.[4][6]

Enterprise T1588 .003 Obtain Capabilities: Code Signing Certificates

Wizard Spider obtained a code signing certificate signed by Digicert for some of its malware.[8]

Enterprise T1003 .002 OS Credential Dumping: Security Account Manager

Wizard Spider has acquired credentials from the SAM/SECURITY registry hives.[3]

.003 OS Credential Dumping: NTDS

Wizard Spider has gained access to credentials via exported copies of the ntds.dit Active Directory database.[3]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Wizard Spider has used spearphishing attachments to deliver Microsoft documents containing macros or PDFs containing malicious links to download either Emotet, Bokbot, TrickBot, or Bazar.[5][7]

.002 Phishing: Spearphishing Link

Wizard Spider has sent phishing emails containing a link to an actor-controlled Google Drive document or other free online file hosting services.[2][8]

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

Wizard Spider has injected malicious DLLs into memory with read, write, and execute permissions.[2][8]

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Wizard Spider has used RDP for lateral movement.[5][2][8]

.002 Remote Services: SMB/Windows Admin Shares

Wizard Spider has used SMB to drop Cobalt Strike Beacon on a domain controller for lateral movement.[8][6]

.006 Remote Services: Windows Remote Management

Wizard Spider has used Window Remote Management to move laterally through a victim network.[2]

Enterprise T1018 Remote System Discovery

Wizard Spider has used networkdll for network discovery and psfin specifically for financial and point of sale indicators. Wizard Spider has also used AdFind and nltest/dclist to enumerate domain computers, including the domain controller.[4][5][3][7][6]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Wizard Spider has used scheduled tasks establish persistence for TrickBot and other malware.[5][2][3][8]

Enterprise T1489 Service Stop

Wizard Spider has used taskkill.exe and net.exe to stop backup, catalog, cloud, and other services prior to network encryption.[6]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Wizard Spider has used WMI to identify anti-virus products installed on a victim's machine.[6]

Enterprise T1558 .003 Steal or Forge Kerberos Tickets: Kerberoasting

Wizard Spider has used Rubeus, MimiKatz Kerberos module, and the Invoke-Kerberoast cmdlet to steal AES hashes.[6][3][2][8]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Wizard Spider has used Digicert code-signing certificates for some of its malware.[8]

Enterprise T1082 System Information Discovery

Wizard Spider has used "systeminfo" and similar commands to acquire detailed configuration information of a victim machine.[6]

Enterprise T1016 System Network Configuration Discovery

Wizard Spider has used "ipconfig" to identify the network configuration of a victim machine.[10]

Enterprise T1033 System Owner/User Discovery

Wizard Spider has used "whoami" to identify the local user and their privileges.[10]

Enterprise T1569 .002 System Services: Service Execution

Wizard Spider has used services.exe to execute scripts and executables during lateral movement within a victim network.[6][9]

Enterprise T1204 .001 User Execution: Malicious Link

Wizard Spider has lured victims into clicking a malicious link delivered through spearphishing.[2]

.002 User Execution: Malicious File

Wizard Spider has lured victims to execute malware with spearphishing attachments containing macros to download either Emotet, Bokbot, or TrickBot.[5]

Enterprise T1078 Valid Accounts

Wizard Spider has used valid credentials for privileged accounts with the goal of accessing domain controllers.[5]

.002 Domain Accounts

Wizard Spider has used administrative accounts, including Domain Admin, to move laterally within a victim network.[3]

Enterprise T1047 Windows Management Instrumentation

Wizard Spider has used WMI and LDAP queries for network discovery and to move laterally.[5][2][3][7]

Software

ID Name References Techniques
S0552 AdFind [4][6][8][7] Account Discovery: Domain Account, Domain Trust Discovery, Permission Groups Discovery: Domain Groups, Remote System Discovery, System Network Configuration Discovery
S0521 BloodHound [2][3][10] Account Discovery: Domain Account, Account Discovery: Local Account, Archive Collected Data, Command and Scripting Interpreter: PowerShell, Domain Trust Discovery, Native API, Password Policy Discovery, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Remote System Discovery, System Owner/User Discovery
S0154 Cobalt Strike [3][2][6][8][9][10] Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Token Impersonation/Theft, Access Token Manipulation: Parent PID Spoofing, Access Token Manipulation: Make and Impersonate Token, Account Discovery: Domain Account, Application Layer Protocol, Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, BITS Jobs, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: Python, Command and Scripting Interpreter: JavaScript, Commonly Used Port, Create or Modify System Process: Windows Service, Data from Local System, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Encrypted Channel: Asymmetric Cryptography, Exploitation for Client Execution, Exploitation for Privilege Escalation, Impair Defenses: Disable or Modify Tools, Indicator Removal on Host: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Man in the Browser, Modify Registry, Multiband Communication, Native API, Network Service Scanning, Network Share Discovery, Non-Application Layer Protocol, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information, Office Application Startup: Office Template Macros, OS Credential Dumping: Security Account Manager, Process Discovery, Process Injection, Process Injection: Process Hollowing, Process Injection: Dynamic-link Library Injection, Protocol Tunneling, Proxy: Internal Proxy, Query Registry, Remote Services: SMB/Windows Admin Shares, Remote Services: Windows Remote Management, Remote Services: SSH, Remote Services: Remote Desktop Protocol, Remote Services: Distributed Component Object Model, Remote System Discovery, Scheduled Transfer, Screen Capture, Subvert Trust Controls: Code Signing, System Network Configuration Discovery, System Network Connections Discovery, System Services: Service Execution, Use Alternate Authentication Material: Pass the Hash, Valid Accounts: Local Accounts, Valid Accounts: Domain Accounts, Windows Management Instrumentation
S0024 Dyre [11][12][13] Application Layer Protocol: Web Protocols, Create or Modify System Process: Windows Service, Data Staged: Local Data Staging, Deobfuscate/Decode Files or Information, Exfiltration Over C2 Channel, Ingress Tool Transfer, Obfuscated Files or Information: Software Packing, Process Injection: Dynamic-link Library Injection, Process Injection, Scheduled Task/Job: Scheduled Task, Software Discovery, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Service Discovery, Virtualization/Sandbox Evasion: System Checks
S0367 Emotet [5][10] Account Discovery: Email Account, Archive Collected Data, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Brute Force: Password Guessing, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Create or Modify System Process: Windows Service, Credentials from Password Stores: Credentials from Web Browsers, Email Collection: Local Email Collection, Encrypted Channel: Asymmetric Cryptography, Exfiltration Over C2 Channel, Exploitation of Remote Services, Network Sniffing, Non-Standard Port, Obfuscated Files or Information, Obfuscated Files or Information: Software Packing, OS Credential Dumping: LSASS Memory, Phishing: Spearphishing Link, Phishing: Spearphishing Attachment, Process Discovery, Process Injection: Dynamic-link Library Injection, Remote Services: SMB/Windows Admin Shares, Scheduled Task/Job: Scheduled Task, Unsecured Credentials: Credentials In Files, User Execution: Malicious Link, User Execution: Malicious File, Valid Accounts: Local Accounts, Windows Management Instrumentation
S0363 Empire [5][2][3] Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Create Process with Token, Access Token Manipulation: SID-History Injection, Access Token Manipulation, Account Discovery: Domain Account, Account Discovery: Local Account, Application Layer Protocol: Web Protocols, Archive Collected Data, Boot or Logon Autostart Execution: Security Support Provider, Boot or Logon Autostart Execution: Shortcut Modification, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Browser Bookmark Discovery, Clipboard Data, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter, Command and Scripting Interpreter: PowerShell, Commonly Used Port, Create Account: Local Account, Create Account: Domain Account, Create or Modify System Process: Windows Service, Credentials from Password Stores: Credentials from Web Browsers, Domain Policy Modification: Group Policy Modification, Domain Trust Discovery, Email Collection: Local Email Collection, Encrypted Channel: Asymmetric Cryptography, Event Triggered Execution: Accessibility Features, Exfiltration Over C2 Channel, Exfiltration Over Web Service: Exfiltration to Cloud Storage, Exfiltration Over Web Service: Exfiltration to Code Repository, Exploitation for Privilege Escalation, Exploitation of Remote Services, File and Directory Discovery, Hijack Execution Flow: DLL Search Order Hijacking, Hijack Execution Flow: Path Interception by PATH Environment Variable, Hijack Execution Flow: Path Interception by Search Order Hijacking, Hijack Execution Flow: Path Interception by Unquoted Path, Hijack Execution Flow: Dylib Hijacking, Indicator Removal on Host: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Input Capture: Credential API Hooking, Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Native API, Network Service Scanning, Network Share Discovery, Network Sniffing, Obfuscated Files or Information, OS Credential Dumping: LSASS Memory, Process Discovery, Process Injection, Remote Services: Distributed Component Object Model, Remote Services: SSH, Scheduled Task/Job: Scheduled Task, Screen Capture, Software Discovery: Security Software Discovery, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Kerberoasting, Steal or Forge Kerberos Tickets: Silver Ticket, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Services: Service Execution, Trusted Developer Utilities Proxy Execution: MSBuild, Unsecured Credentials: Credentials In Files, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Video Capture, Web Service: Bidirectional Communication, Windows Management Instrumentation
S0002 Mimikatz [3][2] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Kerberos Tickets: Silver Ticket, Steal or Forge Kerberos Tickets: Golden Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0039 Net [1][7][3][6][8][9][10] Account Discovery: Local Account, Account Discovery: Domain Account, Create Account: Local Account, Create Account: Domain Account, Indicator Removal on Host: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Local Groups, Permission Groups Discovery: Domain Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0359 Nltest [3][6][8][9][10][7] Domain Trust Discovery, Remote System Discovery, System Network Configuration Discovery
S0097 Ping [6][2][9] Remote System Discovery
S0029 PsExec [5][3] Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
S0446 Ryuk [1][7][2][3][6][8][9][10] Access Token Manipulation, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Data Encrypted for Impact, File and Directory Discovery, File and Directory Permissions Modification: Windows File and Directory Permissions Modification, Impair Defenses: Disable or Modify Tools, Inhibit System Recovery, Masquerading: Match Legitimate Name or Location, Masquerading, Native API, Process Discovery, Process Injection, Remote Services: SMB/Windows Admin Shares, Scheduled Task/Job: Scheduled Task, Service Stop, System Network Configuration Discovery, Traffic Signaling, Valid Accounts: Domain Accounts
S0266 TrickBot [5][2][10] Account Discovery: Email Account, Account Discovery: Local Account, Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Brute Force: Credential Stuffing, Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Create or Modify System Process: Windows Service, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores: Password Managers, Data Encoding: Standard Encoding, Data from Local System, Deobfuscate/Decode Files or Information, Domain Trust Discovery, Encrypted Channel: Symmetric Cryptography, Exfiltration Over C2 Channel, Exploitation of Remote Services, Fallback Channels, File and Directory Discovery, Firmware Corruption, Impair Defenses: Disable or Modify Tools, Ingress Tool Transfer, Input Capture: Credential API Hooking, Inter-Process Communication: Component Object Model, Man in the Browser, Masquerading, Modify Registry, Native API, Network Share Discovery, Non-Standard Port, Obfuscated Files or Information, Obfuscated Files or Information: Software Packing, Permission Groups Discovery, Phishing: Spearphishing Attachment, Phishing: Spearphishing Link, Pre-OS Boot: Bootkit, Process Discovery, Process Injection: Process Hollowing, Remote Access Software, Remote System Discovery, Scheduled Task/Job: Scheduled Task, Subvert Trust Controls: Code Signing, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Service Discovery, Unsecured Credentials: Credentials In Files, Unsecured Credentials: Credentials in Registry, User Execution: Malicious File

References