SYMBOLCOMMON_NAMEaka. SYNONYMS

WIZARD SPIDER  (Back to overview)

aka: TEMP.MixMaster

Wizard Spider is reportedly associated with Grim Spider and Lunar Spider. The WIZARD SPIDER threat group is the Russia-based operator of the TrickBot banking malware. This group represents a growing criminal enterprise of which GRIM SPIDER appears to be a subset. The LUNAR SPIDER threat group is the Eastern European-based operator and developer of the commodity banking malware called BokBot (aka IcedID), which was first observed in April 2017. The BokBot malware provides LUNAR SPIDER affiliates with a variety of capabilities to enable credential theft and wire fraud, through the use of webinjects and a malware distribution function. GRIM SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return. This methodology, known as “big game hunting,” signals a shift in operations for WIZARD SPIDER, a criminal enterprise of which GRIM SPIDER appears to be a cell. The WIZARD SPIDER threat group, known as the Russia-based operator of the TrickBot banking malware, had focused primarily on wire fraud in the past.


Associated Families
win.anchor win.dyre win.trickbot win.ryuk

References
2020-10-22Bleeping ComputerLawrence Abrams
@online{abrams:20201022:french:6d52e19, author = {Lawrence Abrams}, title = {{French IT giant Sopra Steria hit by Ryuk ransomware}}, date = {2020-10-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/french-it-giant-sopra-steria-hit-by-ryuk-ransomware/}, language = {English}, urldate = {2020-10-26} } French IT giant Sopra Steria hit by Ryuk ransomware
Ryuk
2020-10-22Sentinel LABSMarco Figueroa
@online{figueroa:20201022:inside:228798e, author = {Marco Figueroa}, title = {{An Inside Look at How Ryuk Evolved Its Encryption and Evasion Techniques}}, date = {2020-10-22}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/an-inside-look-at-how-ryuk-evolved-its-encryption-and-evasion-techniques/}, language = {English}, urldate = {2020-10-26} } An Inside Look at How Ryuk Evolved Its Encryption and Evasion Techniques
Ryuk
2020-10-20Intel 471Intel 471
@online{471:20201020:global:570e26f, author = {Intel 471}, title = {{Global Trickbot disruption operation shows promise}}, date = {2020-10-20}, organization = {Intel 471}, url = {https://public.intel471.com/blog/global-trickbot-disruption-operation-shows-promise/}, language = {English}, urldate = {2020-10-21} } Global Trickbot disruption operation shows promise
TrickBot
2020-10-20Bundesamt für Sicherheit in der InformationstechnikBSI
@online{bsi:20201020:die:0683ad4, author = {BSI}, title = {{Die Lage der IT-Sicherheit in Deutschland 2020}}, date = {2020-10-20}, organization = {Bundesamt für Sicherheit in der Informationstechnik}, url = {https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2}, language = {German}, urldate = {2020-10-21} } Die Lage der IT-Sicherheit in Deutschland 2020
Clop Emotet REvil Ryuk TrickBot
2020-10-20MicrosoftTom Burt
@online{burt:20201020:update:12549c2, author = {Tom Burt}, title = {{An update on disruption of Trickbot}}, date = {2020-10-20}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2020/10/20/trickbot-ransomware-disruption-update/}, language = {English}, urldate = {2020-10-23} } An update on disruption of Trickbot
TrickBot
2020-10-18The DFIR ReportThe DFIR Report
@online{report:20201018:ryuk:fbaadb8, author = {The DFIR Report}, title = {{Ryuk in 5 Hours}}, date = {2020-10-18}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/}, language = {English}, urldate = {2020-10-19} } Ryuk in 5 Hours
BazarBackdoor Cobalt Strike Ryuk
2020-10-16CrowdStrikeThe Crowdstrike Intel Team
@online{team:20201016:wizard:12b648a, author = {The Crowdstrike Intel Team}, title = {{WIZARD SPIDER Update: Resilient, Reactive and Resolute}}, date = {2020-10-16}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/wizard-spider-adversary-update/}, language = {English}, urldate = {2020-10-21} } WIZARD SPIDER Update: Resilient, Reactive and Resolute
BazarBackdoor Conti Ransomware Ryuk TrickBot
2020-10-16DuoDennis Fisher
@online{fisher:20201016:trickbot:be18c46, author = {Dennis Fisher}, title = {{Trickbot Up to Its Old Tricks}}, date = {2020-10-16}, organization = {Duo}, url = {https://duo.com/decipher/trickbot-up-to-its-old-tricks}, language = {English}, urldate = {2020-10-23} } Trickbot Up to Its Old Tricks
TrickBot
2020-10-16ThreatConnectThreatConnect Research Team
@online{team:20201016:threatconnect:2010d70, author = {ThreatConnect Research Team}, title = {{ThreatConnect Research Roundup: Possible Ryuk Infrastructure}}, date = {2020-10-16}, organization = {ThreatConnect}, url = {https://threatconnect.com/blog/threatconnect-research-roundup-possible-ryuk-infrastructure/}, language = {English}, urldate = {2020-10-23} } ThreatConnect Research Roundup: Possible Ryuk Infrastructure
Ryuk
2020-10-15Intel 471Intel 471
@online{471:20201015:that:2d4b495, author = {Intel 471}, title = {{That was quick: Trickbot is back after disruption attempts}}, date = {2020-10-15}, organization = {Intel 471}, url = {https://public.intel471.com/blog/trickbot-online-emotet-microsoft-cyber-command-disruption-attempts/}, language = {English}, urldate = {2020-10-15} } That was quick: Trickbot is back after disruption attempts
TrickBot
2020-10-15Department of JusticeDepartment of Justice
@online{justice:20201015:officials:b340951, author = {Department of Justice}, title = {{Officials Announce International Operation Targeting Transnational Criminal Organization QQAAZZ that Provided Money Laundering Services to High-Level Cybercriminals}}, date = {2020-10-15}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/officials-announce-international-operation-targeting-transnational-criminal-organization}, language = {English}, urldate = {2020-10-23} } Officials Announce International Operation Targeting Transnational Criminal Organization QQAAZZ that Provided Money Laundering Services to High-Level Cybercriminals
Dridex ISFB TrickBot
2020-10-14SophosSean Gallagher
@online{gallagher:20201014:theyre:99f5d1e, author = {Sean Gallagher}, title = {{They’re back: inside a new Ryuk ransomware attack}}, date = {2020-10-14}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/}, language = {English}, urldate = {2020-10-16} } They’re back: inside a new Ryuk ransomware attack
Cobalt Strike Ryuk SystemBC
2020-10-13VirusTotalGerardo Fernández, Vicente Diaz
@online{fernndez:20201013:tracing:14bb6fa, author = {Gerardo Fernández and Vicente Diaz}, title = {{Tracing fresh Ryuk campaigns itw}}, date = {2020-10-13}, organization = {VirusTotal}, url = {https://blog.virustotal.com/2020/10/tracing-fresh-ryuk-campaigns-itw.html}, language = {English}, urldate = {2020-10-23} } Tracing fresh Ryuk campaigns itw
Ryuk
2020-10-12LumenBlack Lotus Labs
@online{labs:20201012:look:7b422f7, author = {Black Lotus Labs}, title = {{A Look Inside The TrickBot Botnet}}, date = {2020-10-12}, organization = {Lumen}, url = {https://blog.lumen.com/a-look-inside-the-trickbot-botnet/}, language = {English}, urldate = {2020-10-12} } A Look Inside The TrickBot Botnet
TrickBot
2020-10-12ESET ResearchJean-Ian Boutin
@online{boutin:20201012:eset:a7eeb51, author = {Jean-Ian Boutin}, title = {{ESET takes part in global operation to disrupt Trickbot}}, date = {2020-10-12}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/10/12/eset-takes-part-global-operation-disrupt-trickbot/}, language = {English}, urldate = {2020-10-12} } ESET takes part in global operation to disrupt Trickbot
TrickBot
2020-10-12MicrosoftMicrosoft 365 Defender Threat Intelligence Team
@online{team:20201012:trickbot:e4f086f, author = {Microsoft 365 Defender Threat Intelligence Team}, title = {{Trickbot disrupted}}, date = {2020-10-12}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/10/12/trickbot-disrupted/}, language = {English}, urldate = {2020-10-12} } Trickbot disrupted
TrickBot
2020-10-12US District Court for the Eastern District of Virginia
@techreport{virginia:20201012:trickbot:f3af852, author = {US District Court for the Eastern District of Virginia}, title = {{TRICKBOT complaint}}, date = {2020-10-12}, institution = {}, url = {https://noticeofpleadings.com/trickbot/files/Complaint%20and%20Summons/2020-10-06%20Trickbot%201%20Complaint%20with%20exs.pdf}, language = {English}, urldate = {2020-10-13} } TRICKBOT complaint
TrickBot
2020-10-12SymantecThreat Hunter Team
@online{team:20201012:trickbot:5c1e5bf, author = {Threat Hunter Team}, title = {{Trickbot: U.S. Court Order Hits Botnet’s Infrastructure}}, date = {2020-10-12}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/trickbot-botnet-ransomware-disruption}, language = {English}, urldate = {2020-10-12} } Trickbot: U.S. Court Order Hits Botnet’s Infrastructure
Ryuk TrickBot
2020-10-12MicrosoftTom Burt
@online{burt:20201012:new:045c1c3, author = {Tom Burt}, title = {{New action to combat ransomware ahead of U.S. elections}}, date = {2020-10-12}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/}, language = {English}, urldate = {2020-10-12} } New action to combat ransomware ahead of U.S. elections
Ryuk TrickBot
2020-10-12Advanced IntelligenceRoman Marshanski, Vitali Kremez
@online{marshanski:20201012:front:686add1, author = {Roman Marshanski and Vitali Kremez}, title = {{"Front Door" into BazarBackdoor: Stealthy Cybercrime Weapon}}, date = {2020-10-12}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon}, language = {English}, urldate = {2020-10-13} } "Front Door" into BazarBackdoor: Stealthy Cybercrime Weapon
BazarBackdoor Cobalt Strike Ryuk
2020-10-10The Washington PostEllen Nakashima
@online{nakashima:20201010:cyber:9f29985, author = {Ellen Nakashima}, title = {{Cyber Command has sought to disrupt the world’s largest botnet, hoping to reduce its potential impact on the election}}, date = {2020-10-10}, organization = {The Washington Post}, url = {https://www.washingtonpost.com/national-security/cyber-command-trickbot-disrupt/2020/10/09/19587aae-0a32-11eb-a166-dc429b380d10_story.html}, language = {English}, urldate = {2020-10-12} } Cyber Command has sought to disrupt the world’s largest botnet, hoping to reduce its potential impact on the election
TrickBot
2020-10-08The DFIR ReportThe DFIR Report
@online{report:20201008:ryuks:e47d8fa, author = {The DFIR Report}, title = {{Ryuk’s Return}}, date = {2020-10-08}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/10/08/ryuks-return/}, language = {English}, urldate = {2020-10-09} } Ryuk’s Return
BazarBackdoor Cobalt Strike Ryuk
2020-10-02KrebsOnSecurityBrian Krebs
@online{krebs:20201002:attacks:a6dc6e3, author = {Brian Krebs}, title = {{Attacks Aimed at Disrupting the Trickbot Botnet}}, date = {2020-10-02}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2020/10/attacks-aimed-at-disrupting-the-trickbot-botnet/}, language = {English}, urldate = {2020-10-05} } Attacks Aimed at Disrupting the Trickbot Botnet
TrickBot
2020-09-29MicrosoftMicrosoft
@techreport{microsoft:20200929:microsoft:6e5d7b0, author = {Microsoft}, title = {{Microsoft Digital Defense Report}}, date = {2020-09-29}, institution = {Microsoft}, url = {https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf}, language = {English}, urldate = {2020-10-05} } Microsoft Digital Defense Report
Emotet IcedID Mailto Maze QakBot REvil RobinHood TrickBot
2020-09-24Kaspersky LabsKaspersky Lab ICS CERT
@techreport{cert:20200924:threat:2d7986d, author = {Kaspersky Lab ICS CERT}, title = {{Threat landscape for industrial automation systems - H1 2020}}, date = {2020-09-24}, institution = {Kaspersky Labs}, url = {https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf}, language = {English}, urldate = {2020-10-04} } Threat landscape for industrial automation systems - H1 2020
Poet RAT Mailto Milum RagnarLocker REvil Ryuk Snake Ransomware
2020-09-22OSINT FansGabor Szathmari
@online{szathmari:20200922:what:60d1e26, author = {Gabor Szathmari}, title = {{What Service NSW has to do with Russia?}}, date = {2020-09-22}, organization = {OSINT Fans}, url = {https://osint.fans/service-nsw-russia-association}, language = {English}, urldate = {2020-09-23} } What Service NSW has to do with Russia?
TrickBot
2020-09-16Intel 471Intel 471
@online{471:20200916:partners:c65839f, author = {Intel 471}, title = {{Partners in crime: North Koreans and elite Russian-speaking cybercriminals}}, date = {2020-09-16}, organization = {Intel 471}, url = {https://public.intel471.com/blog/partners-in-crime-north-koreans-and-elite-russian-speaking-cybercriminals/}, language = {English}, urldate = {2020-09-23} } Partners in crime: North Koreans and elite Russian-speaking cybercriminals
TrickBot
2020-09-01Cisco TalosDavid Liebenberg, Caitlin Huey
@online{liebenberg:20200901:quarterly:c02962b, author = {David Liebenberg and Caitlin Huey}, title = {{Quarterly Report: Incident Response trends in Summer 2020}}, date = {2020-09-01}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html}, language = {English}, urldate = {2020-09-03} } Quarterly Report: Incident Response trends in Summer 2020
Cobalt Strike LockBit Mailto Maze Ryuk
2020-08-31cyber.wtf blogLuca Ebach
@online{ebach:20200831:trickbot:c975ec5, author = {Luca Ebach}, title = {{Trickbot rdpscanDll – Transforming Candidate Credentials for Brute-Forcing RDP Servers}}, date = {2020-08-31}, organization = {cyber.wtf blog}, url = {https://cyber.wtf/2020/08/31/trickbot-rdpscandll-password-transof/}, language = {English}, urldate = {2020-08-31} } Trickbot rdpscanDll – Transforming Candidate Credentials for Brute-Forcing RDP Servers
TrickBot
2020-08-20CERT-FRCERT-FR
@techreport{certfr:20200820:development:d518522, author = {CERT-FR}, title = {{Development of the Activity of the TA505 Cybercriminal Group}}, date = {2020-08-20}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf}, language = {English}, urldate = {2020-08-28} } Development of the Activity of the TA505 Cybercriminal Group
AndroMut Bart Clop Dridex FlawedAmmyy FlawedGrace Get2 Locky Marap QuantLoader SDBbot ServHelper tRat TrickBot
2020-08-18AreteArete Incident Response
@techreport{response:20200818:is:72e08da, author = {Arete Incident Response}, title = {{Is Conti the New Ryuk?}}, date = {2020-08-18}, institution = {Arete}, url = {https://areteir.com/wp-content/uploads/2020/08/Arete_Insight_Is-Conti-the-new-Ryuk_August2020.pdf}, language = {English}, urldate = {2020-08-25} } Is Conti the New Ryuk?
Conti Ransomware Ryuk
2020-08Temple UniversityCARE
@online{care:202008:critical:415c34d, author = {CARE}, title = {{Critical Infrastructure Ransomware Attacks}}, date = {2020-08}, organization = {Temple University}, url = {https://sites.temple.edu/care/ci-rw-attacks/}, language = {English}, urldate = {2020-09-15} } Critical Infrastructure Ransomware Attacks
CryptoLocker Cryptowall DoppelPaymer FriedEx Mailto Maze REvil Ryuk SamSam WannaCryptor
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos Ransomware PlugX Pony REvil Socelars STOP Ransomware Tinba TrickBot WannaCryptor
2020-07-22SentinelOneJason Reaves, Joshua Platt
@online{reaves:20200722:enter:71d9038, author = {Jason Reaves and Joshua Platt}, title = {{Enter the Maze: Demystifying an Affiliate Involved in Maze (SNOW)}}, date = {2020-07-22}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/}, language = {English}, urldate = {2020-07-23} } Enter the Maze: Demystifying an Affiliate Involved in Maze (SNOW)
ISFB Maze TrickBot Zloader
2020-07-20Bleeping ComputerLawrence Abrams
@online{abrams:20200720:emotettrickbot:a8e84d2, author = {Lawrence Abrams}, title = {{Emotet-TrickBot malware duo is back infecting Windows machines}}, date = {2020-07-20}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/emotet-trickbot-malware-duo-is-back-infecting-windows-machines/}, language = {English}, urldate = {2020-07-21} } Emotet-TrickBot malware duo is back infecting Windows machines
Emotet TrickBot
2020-07-13JoeSecurityJoe Security
@online{security:20200713:trickbots:a164ba5, author = {Joe Security}, title = {{TrickBot's new API-Hammering explained}}, date = {2020-07-13}, organization = {JoeSecurity}, url = {https://www.joesecurity.org/blog/498839998833561473}, language = {English}, urldate = {2020-07-15} } TrickBot's new API-Hammering explained
TrickBot
2020-07-11BleepingComputerLawrence Abrams
@online{abrams:20200711:trickbot:7e70ad3, author = {Lawrence Abrams}, title = {{TrickBot malware mistakenly warns victims that they are infected}}, date = {2020-07-11}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/trickbot-malware-mistakenly-warns-victims-that-they-are-infected/}, language = {English}, urldate = {2020-07-15} } TrickBot malware mistakenly warns victims that they are infected
TrickBot
2020-07-11Advanced IntelligenceVitali Kremez
@online{kremez:20200711:trickbot:602fd73, author = {Vitali Kremez}, title = {{TrickBot Group Launches Test Module Alerting on Fraud Activity}}, date = {2020-07-11}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/trickbot-group-launches-test-module-alerting-on-fraud-activity}, language = {English}, urldate = {2020-07-13} } TrickBot Group Launches Test Module Alerting on Fraud Activity
TrickBot
2020-07-06NTTSecurity division of NTT Ltd.
@online{ltd:20200706:trickbot:9612912, author = {Security division of NTT Ltd.}, title = {{TrickBot variant “Anchor_DNS” communicating over DNS}}, date = {2020-07-06}, organization = {NTT}, url = {https://hello.global.ntt/en-us/insights/blog/trickbot-variant-communicating-over-dns}, language = {English}, urldate = {2020-07-30} } TrickBot variant “Anchor_DNS” communicating over DNS
Anchor_DNS TrickBot
2020-06-23Bleeping ComputerIonut Ilascu
@online{ilascu:20200623:ryuk:c63b0c6, author = {Ionut Ilascu}, title = {{Ryuk ransomware deployed two weeks after Trickbot infection}}, date = {2020-06-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-deployed-two-weeks-after-trickbot-infection/}, language = {English}, urldate = {2020-06-30} } Ryuk ransomware deployed two weeks after Trickbot infection
Ryuk
2020-06-22CERT-FRCERT-FR
@techreport{certfr:20200622:volution:fba1cfa, author = {CERT-FR}, title = {{Évolution De Lactivité du Groupe Cybercriminel TA505}}, date = {2020-06-22}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf}, language = {French}, urldate = {2020-06-24} } Évolution De Lactivité du Groupe Cybercriminel TA505
Amadey AndroMut Bart Clop Dridex FlawedGrace Gandcrab Get2 GlobeImposter Jaff Locky Marap Philadephia Ransom QuantLoader Scarab Ransomware SDBbot ServHelper Silence tRat TrickBot
2020-06-22Sentinel LABSJoshua Platt, Jason Reaves
@online{platt:20200622:inside:b381dd5, author = {Joshua Platt and Jason Reaves}, title = {{Inside a TrickBot Cobalt Strike Attack Server}}, date = {2020-06-22}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/}, language = {English}, urldate = {2020-06-23} } Inside a TrickBot Cobalt Strike Attack Server
Cobalt Strike TrickBot
2020-06-17Youtube (Red Canary)Erika Noerenberg, Matt Graeber, Adam Pennington, David Kaplan
@online{noerenberg:20200617:attck:934d73c, author = {Erika Noerenberg and Matt Graeber and Adam Pennington and David Kaplan}, title = {{ATT&CK® Deep Dive: Process Injection}}, date = {2020-06-17}, organization = {Youtube (Red Canary)}, url = {https://redcanary.com/resources/webinars/deep-dive-process-injection/}, language = {English}, urldate = {2020-06-19} } ATT&CK® Deep Dive: Process Injection
ISFB Ramnit TrickBot
2020-06-15Cisco TalosDavid Liebenberg, Caitlin Huey
@online{liebenberg:20200615:quarterly:c2dcd77, author = {David Liebenberg and Caitlin Huey}, title = {{Quarterly report: Incident Response trends in Summer 2020}}, date = {2020-06-15}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/06/CTIR-trends-q3-2020.html#more}, language = {English}, urldate = {2020-06-19} } Quarterly report: Incident Response trends in Summer 2020
Ryuk
2020-06-15FortinetVal Saengphaibul, Fred Gutierrez
@online{saengphaibul:20200615:global:5c4be18, author = {Val Saengphaibul and Fred Gutierrez}, title = {{Global Malicious Spam Campaign Using Black Lives Matter as a Lure}}, date = {2020-06-15}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/global-malicious-spam-campaign-using-black-lives-matter-as-a-lure}, language = {English}, urldate = {2020-06-16} } Global Malicious Spam Campaign Using Black Lives Matter as a Lure
TrickBot
2020-06-12HornetsecuritySecurity Lab
@online{lab:20200612:trickbot:2bf54ef, author = {Security Lab}, title = {{Trickbot Malspam Leveraging Black Lives Matter as Lure}}, date = {2020-06-12}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-information/trickbot-malspam-leveraging-black-lives-matter-as-lure/}, language = {English}, urldate = {2020-07-01} } Trickbot Malspam Leveraging Black Lives Matter as Lure
TrickBot
2020-06-11CofenseJason Meurer
@online{meurer:20200611:all:cc2e167, author = {Jason Meurer}, title = {{All You Need Is Text: Second Wave}}, date = {2020-06-11}, organization = {Cofense}, url = {https://cofenselabs.com/all-you-need-is-text-second-wave/}, language = {English}, urldate = {2020-06-12} } All You Need Is Text: Second Wave
TrickBot
2020-06-02Lastline LabsJames Haughom, Stefano Ortolani
@online{haughom:20200602:evolution:3286d87, author = {James Haughom and Stefano Ortolani}, title = {{Evolution of Excel 4.0 Macro Weaponization}}, date = {2020-06-02}, organization = {Lastline Labs}, url = {https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/}, language = {English}, urldate = {2020-06-03} } Evolution of Excel 4.0 Macro Weaponization
Agent Tesla DanaBot ISFB TrickBot Zloader
2020-05-28Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20200528:goodbye:87a0245, author = {Brad Duncan}, title = {{Goodbye Mworm, Hello Nworm: TrickBot Updates Propagation Module}}, date = {2020-05-28}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/}, language = {English}, urldate = {2020-05-29} } Goodbye Mworm, Hello Nworm: TrickBot Updates Propagation Module
TrickBot
2020-05-21Intel 471Intel 471
@online{471:20200521:brief:048d164, author = {Intel 471}, title = {{A brief history of TA505}}, date = {2020-05-21}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/}, language = {English}, urldate = {2020-05-23} } A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot
2020-05-19AlienLabsOfer Caspi
@online{caspi:20200519:trickbot:50c2a51, author = {Ofer Caspi}, title = {{TrickBot BazarLoader In-Depth}}, date = {2020-05-19}, organization = {AlienLabs}, url = {https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth}, language = {English}, urldate = {2020-05-20} } TrickBot BazarLoader In-Depth
Anchor BazarBackdoor TrickBot
2020-05-14SentinelOneJason Reaves
@online{reaves:20200514:deep:1ee83b6, author = {Jason Reaves}, title = {{Deep Dive Into TrickBot Executor Module “mexec”: Reversing the Dropper Variant}}, date = {2020-05-14}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-reversing-the-dropper-variant/}, language = {English}, urldate = {2020-05-18} } Deep Dive Into TrickBot Executor Module “mexec”: Reversing the Dropper Variant
TrickBot
2020-05-05N1ght-W0lf BlogAbdallah Elshinbary
@online{elshinbary:20200505:deep:f5661cb, author = {Abdallah Elshinbary}, title = {{Deep Analysis of Ryuk Ransomware}}, date = {2020-05-05}, organization = {N1ght-W0lf Blog}, url = {https://n1ght-w0lf.github.io/malware%20analysis/ryuk-ransomware/}, language = {English}, urldate = {2020-05-10} } Deep Analysis of Ryuk Ransomware
Ryuk
2020-04-19SecurityLiterateKyle Cucci
@online{cucci:20200419:reversing:4523233, author = {Kyle Cucci}, title = {{Reversing Ryuk: A Technical Analysis of Ryuk Ransomware}}, date = {2020-04-19}, organization = {SecurityLiterate}, url = {https://securityliterate.com/reversing-ryuk-a-technical-analysis-of-ryuk-ransomware/}, language = {English}, urldate = {2020-08-13} } Reversing Ryuk: A Technical Analysis of Ryuk Ransomware
Ryuk
2020-04-14Intel 471Intel 471
@online{471:20200414:understanding:ca95961, author = {Intel 471}, title = {{Understanding the relationship between Emotet, Ryuk and TrickBot}}, date = {2020-04-14}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/}, language = {English}, urldate = {2020-04-26} } Understanding the relationship between Emotet, Ryuk and TrickBot
Emotet Ryuk TrickBot
2020-04-09ZscalerAtinderpal Singh, Abhay Yadav
@online{singh:20200409:trickbot:9db52c2, author = {Atinderpal Singh and Abhay Yadav}, title = {{TrickBot Emerges with a Few New Tricks}}, date = {2020-04-09}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/trickbot-emerges-few-new-tricks}, language = {English}, urldate = {2020-07-01} } TrickBot Emerges with a Few New Tricks
TrickBot
2020-04-08SentinelOneJason Reaves
@online{reaves:20200408:deep:87b83bb, author = {Jason Reaves}, title = {{Deep Dive Into TrickBot Executor Module “mexec”: Hidden “Anchor” Bot Nexus Operations}}, date = {2020-04-08}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/}, language = {English}, urldate = {2020-04-13} } Deep Dive Into TrickBot Executor Module “mexec”: Hidden “Anchor” Bot Nexus Operations
Anchor TrickBot
2020-04-07SecurityIntelligenceOle Villadsen
@online{villadsen:20200407:itg08:b0b782d, author = {Ole Villadsen}, title = {{ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework}}, date = {2020-04-07}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/}, language = {English}, urldate = {2020-04-13} } ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework
More_eggs Anchor TrickBot
2020-04-01CiscoShyam Sundar Ramaswami, Andrea Kaiser
@online{ramaswami:20200401:navigating:965952a, author = {Shyam Sundar Ramaswami and Andrea Kaiser}, title = {{Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors}}, date = {2020-04-01}, organization = {Cisco}, url = {https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors}, language = {English}, urldate = {2020-08-19} } Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors
Azorult CloudEyE Formbook KPOT Stealer Metamorfo Nanocore RAT NetWire RC TrickBot
2020-03-31FireEyeVan Ta, Aaron Stephens
@online{ta:20200331:its:632dfca, author = {Van Ta and Aaron Stephens}, title = {{It’s Your Money and They Want It Now - The Cycle of Adversary Pursuit}}, date = {2020-03-31}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html}, language = {English}, urldate = {2020-04-06} } It’s Your Money and They Want It Now - The Cycle of Adversary Pursuit
Ryuk TrickBot
2020-03-31Cisco TalosChris Neal
@online{neal:20200331:trickbot:dcf5314, author = {Chris Neal}, title = {{Trickbot: A primer}}, date = {2020-03-31}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/03/trickbot-primer.html}, language = {English}, urldate = {2020-04-01} } Trickbot: A primer
TrickBot
2020-03-30IntezerMichael Kajiloti
@online{kajiloti:20200330:fantastic:c01db60, author = {Michael Kajiloti}, title = {{Fantastic payloads and where we find them}}, date = {2020-03-30}, organization = {Intezer}, url = {https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them}, language = {English}, urldate = {2020-04-07} } Fantastic payloads and where we find them
Dridex Emotet ISFB TrickBot
2020-03-25Wilbur SecurityJW
@online{jw:20200325:trickbot:17b0dc3, author = {JW}, title = {{Trickbot to Ryuk in Two Hours}}, date = {2020-03-25}, organization = {Wilbur Security}, url = {https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/}, language = {English}, urldate = {2020-03-26} } Trickbot to Ryuk in Two Hours
Cobalt Strike Ryuk TrickBot
2020-03-18BitdefenderLiviu Arsene, Radu Tudorica, Alexandru Maximciuc, Cristina Vatamanu
@techreport{arsene:20200318:new:2d895da, author = {Liviu Arsene and Radu Tudorica and Alexandru Maximciuc and Cristina Vatamanu}, title = {{New TrickBot Module Bruteforces RDP Connections, Targets Select Telecommunication Services in US and Hong Kong}}, date = {2020-03-18}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/316/Bitdefender-Whitepaper-TrickBot-en-EN-interactive.pdf}, language = {English}, urldate = {2020-03-19} } New TrickBot Module Bruteforces RDP Connections, Targets Select Telecommunication Services in US and Hong Kong
TrickBot
2020-03-09FortinetXiaopeng Zhang
@online{zhang:20200309:new:ff60491, author = {Xiaopeng Zhang}, title = {{New Variant of TrickBot Being Spread by Word Document}}, date = {2020-03-09}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/new-variant-of-trickbot-being-spread-by-word-document.html}, language = {English}, urldate = {2020-04-26} } New Variant of TrickBot Being Spread by Word Document
TrickBot
2020-03-05MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200305:humanoperated:d90a28e, author = {Microsoft Threat Protection Intelligence Team}, title = {{Human-operated ransomware attacks: A preventable disaster}}, date = {2020-03-05}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/}, language = {English}, urldate = {2020-03-06} } Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-03-04Bleeping ComputerLawrence Abrams
@online{abrams:20200304:ryuk:31f2ce0, author = {Lawrence Abrams}, title = {{Ryuk Ransomware Attacked Epiq Global Via TrickBot Infection}}, date = {2020-03-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/}, language = {English}, urldate = {2020-03-09} } Ryuk Ransomware Attacked Epiq Global Via TrickBot Infection
Ryuk TrickBot
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2020-03-02c'tChristian Wölbert
@online{wlbert:20200302:was:1b9cc93, author = {Christian Wölbert}, title = {{Was Emotet anrichtet – und welche Lehren die Opfer daraus ziehen}}, date = {2020-03-02}, organization = {c't}, url = {https://www.heise.de/ct/artikel/Was-Emotet-anrichtet-und-welche-Lehren-die-Opfer-daraus-ziehen-4665958.html}, language = {German}, urldate = {2020-03-02} } Was Emotet anrichtet – und welche Lehren die Opfer daraus ziehen
Emotet Ryuk
2020-02-28MorphisecMichael Gorelik
@online{gorelik:20200228:trickbot:678683b, author = {Michael Gorelik}, title = {{Trickbot Delivery Method Gets a New Upgrade Focusing on Windows 10}}, date = {2020-02-28}, organization = {Morphisec}, url = {https://blog.morphisec.com/trickbot-delivery-method-gets-a-new-upgrade-focusing-on-windows}, language = {English}, urldate = {2020-03-03} } Trickbot Delivery Method Gets a New Upgrade Focusing on Windows 10
TrickBot
2020-02-26SentinelOneJason Reaves
@online{reaves:20200226:revealing:2c3fc63, author = {Jason Reaves}, title = {{Revealing the Trick | A Deep Dive into TrickLoader Obfuscation}}, date = {2020-02-26}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/revealing-the-trick-a-deep-dive-into-trickloader-obfuscation/}, language = {English}, urldate = {2020-02-27} } Revealing the Trick | A Deep Dive into TrickLoader Obfuscation
TrickBot
2020-02-25RSA ConferenceJoel DeCapua
@online{decapua:20200225:feds:423f929, author = {Joel DeCapua}, title = {{Feds Fighting Ransomware: How the FBI Investigates and How You Can Help}}, date = {2020-02-25}, organization = {RSA Conference}, url = {https://www.youtube.com/watch?v=LUxOcpIRxmg}, language = {English}, urldate = {2020-03-04} } Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Ransomware Rapid Ransom REvil Ryuk SamSam Zeus
2020-02-19FireEyeFireEye
@online{fireeye:20200219:mtrends:193613a, author = {FireEye}, title = {{M-Trends 2020}}, date = {2020-02-19}, organization = {FireEye}, url = {https://content.fireeye.com/m-trends/rpt-m-trends-2020}, language = {English}, urldate = {2020-02-20} } M-Trends 2020
Cobalt Strike Grateful POS LockerGoga QakBot TrickBot
2020-02-18Sophos LabsLuca Nagy
@online{nagy:20200218:nearly:8ff363f, author = {Luca Nagy}, title = {{Nearly a quarter of malware now communicates using TLS}}, date = {2020-02-18}, organization = {Sophos Labs}, url = {https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/}, language = {English}, urldate = {2020-02-27} } Nearly a quarter of malware now communicates using TLS
Dridex IcedID TrickBot
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020-02-10MalwarebytesAdam Kujawa, Wendy Zamora, Jérôme Segura, Thomas Reed, Nathan Collier, Jovi Umawing, Chris Boyd, Pieter Arntz, David Ruiz
@techreport{kujawa:20200210:2020:3fdaf12, author = {Adam Kujawa and Wendy Zamora and Jérôme Segura and Thomas Reed and Nathan Collier and Jovi Umawing and Chris Boyd and Pieter Arntz and David Ruiz}, title = {{2020 State of Malware Report}}, date = {2020-02-10}, institution = {Malwarebytes}, url = {https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf}, language = {English}, urldate = {2020-02-13} } 2020 State of Malware Report
magecart Emotet QakBot REvil Ryuk TrickBot WannaCryptor
2020-01-30MorphisecArnold Osipov
@online{osipov:20200130:trickbot:da5c80d, author = {Arnold Osipov}, title = {{Trickbot Trojan Leveraging a New Windows 10 UAC Bypass}}, date = {2020-01-30}, organization = {Morphisec}, url = {https://blog.morphisec.com/trickbot-uses-a-new-windows-10-uac-bypass}, language = {English}, urldate = {2020-02-03} } Trickbot Trojan Leveraging a New Windows 10 UAC Bypass
TrickBot
2020-01-30Bleeping ComputerLawrence Abrams
@online{abrams:20200130:trickbot:22db786, author = {Lawrence Abrams}, title = {{TrickBot Uses a New Windows 10 UAC Bypass to Launch Quietly}}, date = {2020-01-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly/}, language = {English}, urldate = {2020-02-03} } TrickBot Uses a New Windows 10 UAC Bypass to Launch Quietly
TrickBot
2020-01-29ZDNetCatalin Cimpanu
@online{cimpanu:20200129:dod:57de65d, author = {Catalin Cimpanu}, title = {{DOD contractor suffers ransomware infection}}, date = {2020-01-29}, organization = {ZDNet}, url = {https://www.zdnet.com/article/dod-contractor-suffers-ransomware-infection/}, language = {English}, urldate = {2020-02-03} } DOD contractor suffers ransomware infection
Ryuk
2020-01-29Bleeping ComputerLawrence Abrams
@online{abrams:20200129:malware:920dc7e, author = {Lawrence Abrams}, title = {{Malware Tries to Trump Security Software With POTUS Impeachment}}, date = {2020-01-29}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/malware-tries-to-trump-security-software-with-potus-impeachment/}, language = {English}, urldate = {2020-02-03} } Malware Tries to Trump Security Software With POTUS Impeachment
TrickBot
2020-01-29ANSSIANSSI
@techreport{anssi:20200129:tat:3d59e6e, author = {ANSSI}, title = {{État de la menace rançongiciel}}, date = {2020-01-29}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf}, language = {English}, urldate = {2020-02-03} } État de la menace rançongiciel
Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam
2020-01-27T-SystemsT-Systems
@techreport{tsystems:20200127:vorlufiger:39dc989, author = {T-Systems}, title = {{Vorläufiger forensischer Abschlussbericht zur Untersuchung des Incidents beim Berliner Kammergericht}}, date = {2020-01-27}, institution = {T-Systems}, url = {https://www.berlin.de/sen/justva/presse/pressemitteilungen/2020/pm-11-2020-t-systems-forensik_bericht_public_v1.pdf}, language = {German}, urldate = {2020-01-28} } Vorläufiger forensischer Abschlussbericht zur Untersuchung des Incidents beim Berliner Kammergericht
Emotet TrickBot
2020-01-24Bleeping ComputerLawrence Abrams
@online{abrams:20200124:new:05d5a6a, author = {Lawrence Abrams}, title = {{New Ryuk Info Stealer Targets Government and Military Secrets}}, date = {2020-01-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-ryuk-info-stealer-targets-government-and-military-secrets/}, language = {English}, urldate = {2020-02-03} } New Ryuk Info Stealer Targets Government and Military Secrets
Ryuk
2020-01-24ReversingLabsRobert Simmons
@online{simmons:20200124:hunting:f99f1f9, author = {Robert Simmons}, title = {{Hunting for Ransomware}}, date = {2020-01-24}, organization = {ReversingLabs}, url = {https://blog.reversinglabs.com/blog/hunting-for-ransomware}, language = {English}, urldate = {2020-01-29} } Hunting for Ransomware
Ryuk
2020-01-23Bleeping ComputerLawrence Abrams
@online{abrams:20200123:trickbot:5ca7827, author = {Lawrence Abrams}, title = {{TrickBot Now Steals Windows Active Directory Credentials}}, date = {2020-01-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/trickbot-now-steals-windows-active-directory-credentials/}, language = {English}, urldate = {2020-01-27} } TrickBot Now Steals Windows Active Directory Credentials
TrickBot
2020-01-17SecureworksTamada Kiyotaka, Keita Yamazaki, You Nakatsuru
@techreport{kiyotaka:20200117:is:969ff38, author = {Tamada Kiyotaka and Keita Yamazaki and You Nakatsuru}, title = {{Is It Wrong to Try to Find APT Techniques in Ransomware Attack?}}, date = {2020-01-17}, institution = {Secureworks}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf}, language = {English}, urldate = {2020-04-06} } Is It Wrong to Try to Find APT Techniques in Ransomware Attack?
Defray Dharma FriedEx Gandcrab GlobeImposter Matrix Ransom MedusaLocker Phobos Ransomware REvil Ryuk SamSam Scarab Ransomware
2020-01-17Ken Sajo, Yasuhiro Takeda, Yusuke Niwa
@techreport{sajo:20200117:battle:2b146f5, author = {Ken Sajo and Yasuhiro Takeda and Yusuke Niwa}, title = {{Battle Against Ursnif Malspam Campaign targeting Japan}}, date = {2020-01-17}, institution = {}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf}, language = {English}, urldate = {2020-01-17} } Battle Against Ursnif Malspam Campaign targeting Japan
Cutwail ISFB TrickBot UrlZone
2020-01-16Bleeping ComputerLawrence Abrams
@online{abrams:20200116:trickbot:ed6fdb3, author = {Lawrence Abrams}, title = {{TrickBot Now Uses a Windows 10 UAC Bypass to Evade Detection}}, date = {2020-01-16}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/trickbot-now-uses-a-windows-10-uac-bypass-to-evade-detection/}, language = {English}, urldate = {2020-01-20} } TrickBot Now Uses a Windows 10 UAC Bypass to Evade Detection
TrickBot
2020-01-14Bleeping ComputerLawrence Abrams
@online{abrams:20200114:ryuk:b2e47fa, author = {Lawrence Abrams}, title = {{Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices}}, date = {2020-01-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/}, language = {English}, urldate = {2020-01-15} } Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices
Ryuk
2020-01-10CSISCSIS
@techreport{csis:20200110:threat:7454f36, author = {CSIS}, title = {{Threat Matrix H1 2019}}, date = {2020-01-10}, institution = {CSIS}, url = {https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf}, language = {English}, urldate = {2020-01-22} } Threat Matrix H1 2019
Gustuff magecart Emotet Gandcrab Ramnit TrickBot
2020-01-09SentinelOneVitali Kremez, Joshua Platt, Jason Reaves
@online{kremez:20200109:toptier:4f8de90, author = {Vitali Kremez and Joshua Platt and Jason Reaves}, title = {{Top-Tier Russian Organized Cybercrime Group Unveils Fileless Stealthy “PowerTrick” Backdoor for High-Value Targets}}, date = {2020-01-09}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/}, language = {English}, urldate = {2020-01-13} } Top-Tier Russian Organized Cybercrime Group Unveils Fileless Stealthy “PowerTrick” Backdoor for High-Value Targets
TrickBot WIZARD SPIDER
2020SecureworksSecureWorks
@online{secureworks:2020:gold:d8faa3e, author = {SecureWorks}, title = {{GOLD ULRICK}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-ulrick}, language = {English}, urldate = {2020-05-23} } GOLD ULRICK
Empire Downloader Ryuk TrickBot WIZARD SPIDER
2020SecureworksSecureWorks
@online{secureworks:2020:gold:65fcc96, author = {SecureWorks}, title = {{GOLD SWATHMORE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-swathmore}, language = {English}, urldate = {2020-05-23} } GOLD SWATHMORE
GlobeImposter Gozi IcedID TrickBot Lunar Spider
2020SecureworksSecureWorks
@online{secureworks:2020:gold:21c4d39, author = {SecureWorks}, title = {{GOLD BLACKBURN}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-blackburn}, language = {English}, urldate = {2020-05-23} } GOLD BLACKBURN
Dyre TrickBot
2019-12-26Bleeping ComputerLawrence Abrams
@online{abrams:20191226:ryuk:acc2284, author = {Lawrence Abrams}, title = {{Ryuk Ransomware Stops Encrypting Linux Folders}}, date = {2019-12-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-stops-encrypting-linux-folders/}, language = {English}, urldate = {2020-01-08} } Ryuk Ransomware Stops Encrypting Linux Folders
Ryuk
2019-12-21DecryptAdriana Hamacher
@online{hamacher:20191221:how:9d026a8, author = {Adriana Hamacher}, title = {{How ransomware exploded in the age of Bitcoin}}, date = {2019-12-21}, organization = {Decrypt}, url = {https://decrypt.co/15394/how-ransomware-exploded-in-the-age-of-btc}, language = {English}, urldate = {2020-01-13} } How ransomware exploded in the age of Bitcoin
Ryuk
2019-12-19MalwarebytesJovi Umawing
@online{umawing:20191219:threat:552a941, author = {Jovi Umawing}, title = {{Threat spotlight: the curious case of Ryuk ransomware}}, date = {2019-12-19}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-spotlight/2019/12/threat-spotlight-the-curious-case-of-ryuk-ransomware/}, language = {English}, urldate = {2020-01-08} } Threat spotlight: the curious case of Ryuk ransomware
Ryuk
2019-12-15Bleeping ComputerLawrence Abrams
@online{abrams:20191215:ryuk:74f6eab, author = {Lawrence Abrams}, title = {{Ryuk Ransomware Likely Behind New Orleans Cyberattack}}, date = {2019-12-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-likely-behind-new-orleans-cyberattack/}, language = {English}, urldate = {2020-01-13} } Ryuk Ransomware Likely Behind New Orleans Cyberattack
Ryuk
2019-12-12FireEyeChi-en Shen, Oleg Bondarenko
@online{shen:20191212:cyber:e01baca, author = {Chi-en Shen and Oleg Bondarenko}, title = {{Cyber Threat Landscape in Japan – Revealing Threat in the Shadow}}, date = {2019-12-12}, organization = {FireEye}, url = {https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko}, language = {English}, urldate = {2020-04-16} } Cyber Threat Landscape in Japan – Revealing Threat in the Shadow
Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech
2019-12-11CybereasonAssaf Dahan, Lior Rochberger, Eli Salem, Mary Zhao, Niv Yona, Omer Yampel, Matt Hart
@online{dahan:20191211:dropping:0849f70, author = {Assaf Dahan and Lior Rochberger and Eli Salem and Mary Zhao and Niv Yona and Omer Yampel and Matt Hart}, title = {{Dropping Anchor: From a TrickBot Infection to the Discovery of the Anchor Malware}}, date = {2019-12-11}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware}, language = {English}, urldate = {2020-01-06} } Dropping Anchor: From a TrickBot Infection to the Discovery of the Anchor Malware
Anchor WIZARD SPIDER
2019-12-10Sentinel LABSVitali Kremez, Joshua Platt, Jason Reaves
@online{kremez:20191210:morphisec:c0fc51c, author = {Vitali Kremez and Joshua Platt and Jason Reaves}, title = {{MORPHISEC DISCOVERS CCLEANER BACKDOOR SAVING MILLIONS OF AVAST USERS}}, date = {2019-12-10}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/the-deadly-planeswalker-how-the-trickbot-group-united-high-tech-crimeware-apt/}, language = {English}, urldate = {2020-01-08} } MORPHISEC DISCOVERS CCLEANER BACKDOOR SAVING MILLIONS OF AVAST USERS
Anchor
2019-12-09Palo Alto Networks Unit 42Bryan Lee, Brittany Ash, Mike Harbison
@online{lee:20191209:trickbot:48d9da3, author = {Bryan Lee and Brittany Ash and Mike Harbison}, title = {{TrickBot Campaign Uses Fake Payroll Emails to Conduct Phishing Attacks}}, date = {2019-12-09}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/trickbot-campaign-uses-fake-payroll-emails-to-conduct-phishing-attacks/}, language = {English}, urldate = {2020-01-22} } TrickBot Campaign Uses Fake Payroll Emails to Conduct Phishing Attacks
TrickBot
2019-12-09EmsisoftEmsiSoft Malware Lab
@online{lab:20191209:caution:05ff83a, author = {EmsiSoft Malware Lab}, title = {{Caution! Ryuk Ransomware decryptor damages larger files, even if you pay}}, date = {2019-12-09}, organization = {Emsisoft}, url = {https://blog.emsisoft.com/en/35023/bug-in-latest-ryuk-decryptor-may-cause-data-loss/}, language = {English}, urldate = {2020-01-07} } Caution! Ryuk Ransomware decryptor damages larger files, even if you pay
Ryuk
2019-11-27Twitter (@Prosegur)Prosegur
@online{prosegur:20191127:incident:bd76c3f, author = {Prosegur}, title = {{Tweet on Incident of Information Security}}, date = {2019-11-27}, organization = {Twitter (@Prosegur)}, url = {https://twitter.com/Prosegur/status/1199732264386596864}, language = {English}, urldate = {2020-01-09} } Tweet on Incident of Information Security
Ryuk
2019-11-22Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20191122:trickbot:e14933b, author = {Brad Duncan}, title = {{Trickbot Updates Password Grabber Module}}, date = {2019-11-22}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/trickbot-updates-password-grabber-module/}, language = {English}, urldate = {2020-01-22} } Trickbot Updates Password Grabber Module
TrickBot
2019-11-13CrowdStrikeJen Ayers, Jason Rivera
@techreport{ayers:20191113:through:70cc3b3, author = {Jen Ayers and Jason Rivera}, title = {{Through the Eyes of the Adversary}}, date = {2019-11-13}, institution = {CrowdStrike}, url = {https://na.eventscloud.com/file_uploads/6568237bca6dc156e5c5557c5989e97c_CrowdStrikeFal.Con2019_ThroughEyesOfAdversary_J.Ayers.pdf}, language = {English}, urldate = {2020-03-22} } Through the Eyes of the Adversary
TrickBot CLOCKWORD SPIDER
2019-11-08Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20191108:wireshark:f37b983, author = {Brad Duncan}, title = {{Wireshark Tutorial: Examining Trickbot Infections}}, date = {2019-11-08}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-infections/}, language = {English}, urldate = {2020-01-06} } Wireshark Tutorial: Examining Trickbot Infections
TrickBot
2019-11-06Heise SecurityThomas Hungenberg
@online{hungenberg:20191106:emotet:1605954, author = {Thomas Hungenberg}, title = {{Emotet, Trickbot, Ryuk – ein explosiver Malware-Cocktail}}, date = {2019-11-06}, organization = {Heise Security}, url = {https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html}, language = {German}, urldate = {2020-01-06} } Emotet, Trickbot, Ryuk – ein explosiver Malware-Cocktail
Emotet Ryuk TrickBot
2019-11CCN-CERTCCN-CERT
@online{ccncert:201911:informe:69b39b5, author = {CCN-CERT}, title = {{Informe Código Dañino CCN-CERT ID-26/19}}, date = {2019-11}, organization = {CCN-CERT}, url = {https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos/4217-ccn-cert-id-26-19-ryuk-1/file.html}, language = {Espanyol}, urldate = {2020-01-10} } Informe Código Dañino CCN-CERT ID-26/19
Ryuk
2019-11-01CrowdStrikeAlexander Hanel, Brett Stone-Gross
@online{hanel:20191101:wizard:a34a09e, author = {Alexander Hanel and Brett Stone-Gross}, title = {{WIZARD SPIDER Adds New Features to Ryuk for Targeting Hosts on LAN}}, date = {2019-11-01}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/}, language = {English}, urldate = {2019-12-20} } WIZARD SPIDER Adds New Features to Ryuk for Targeting Hosts on LAN
Ryuk WIZARD SPIDER
2019-10-29SneakyMonkey BlogSneakyMonkey
@online{sneakymonkey:20191029:trickbot:bd7249c, author = {SneakyMonkey}, title = {{TRICKBOT - Analysis Part II}}, date = {2019-10-29}, organization = {SneakyMonkey Blog}, url = {https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/}, language = {English}, urldate = {2019-12-17} } TRICKBOT - Analysis Part II
TrickBot
2019-10-24Sentinel LABSVitali Kremez
@online{kremez:20191024:how:e6d838d, author = {Vitali Kremez}, title = {{How TrickBot Malware Hooking Engine Targets Windows 10 Browsers}}, date = {2019-10-24}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/how-trickbot-hooking-engine-targets-windows-10-browsers/}, language = {English}, urldate = {2020-07-03} } How TrickBot Malware Hooking Engine Targets Windows 10 Browsers
TrickBot
2019-10-18NTTNTT Security
@online{security:20191018:trickbot:6e2f73f, author = {NTT Security}, title = {{TrickBot variant “Anchor_DNS” communicating over DNS}}, date = {2019-10-18}, organization = {NTT}, url = {https://hello.global.ntt/zh-cn/insights/blog/trickbot-variant-communicating-over-dns}, language = {English}, urldate = {2020-10-12} } TrickBot variant “Anchor_DNS” communicating over DNS
Anchor
2019-09-25GovCERT.chGovCERT.ch
@online{govcertch:20190925:trickbot:8346dd7, author = {GovCERT.ch}, title = {{Trickbot - An analysis of data collected from the botnet}}, date = {2019-09-25}, organization = {GovCERT.ch}, url = {https://www.govcert.ch/blog/37/trickbot-an-analysis-of-data-collected-from-the-botnet}, language = {English}, urldate = {2020-01-08} } Trickbot - An analysis of data collected from the botnet
TrickBot
2019-09-09McAfeeThomas Roccia, Marc Rivero López, Chintan Shah
@online{roccia:20190909:evolution:baf3b6c, author = {Thomas Roccia and Marc Rivero López and Chintan Shah}, title = {{Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study}}, date = {2019-09-09}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/}, language = {English}, urldate = {2020-08-30} } Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study
Cutwail Dridex Dyre Kovter Locky Phorpiex Simda
2019-08-27SecureworksCTU Research Team
@online{team:20190827:trickbot:fa5f95b, author = {CTU Research Team}, title = {{TrickBot Modifications Target U.S. Mobile Users}}, date = {2019-08-27}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/trickbot-modifications-target-us-mobile-users}, language = {English}, urldate = {2020-01-09} } TrickBot Modifications Target U.S. Mobile Users
TrickBot
2019-08-26InQuestJosiah Smith
@online{smith:20190826:memory:c4cea9b, author = {Josiah Smith}, title = {{Memory Analysis of TrickBot}}, date = {2019-08-26}, organization = {InQuest}, url = {https://inquest.net/blog/2019/08/26/TrickBot-Memory-Analysis}, language = {English}, urldate = {2020-01-10} } Memory Analysis of TrickBot
TrickBot
2019-08-05Trend MicroNoel Anthony Llimos, Michael Jhon Ofiaza
@online{llimos:20190805:latest:62ba94b, author = {Noel Anthony Llimos and Michael Jhon Ofiaza}, title = {{Latest Trickbot Campaign Delivered via Highly Obfuscated JS File}}, date = {2019-08-05}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/latest-trickbot-campaign-delivered-via-highly-obfuscated-js-file/}, language = {English}, urldate = {2020-01-23} } Latest Trickbot Campaign Delivered via Highly Obfuscated JS File
ostap TrickBot
2019-07-11NTT SecurityNTT Security
@online{security:20190711:targeted:a48e692, author = {NTT Security}, title = {{Targeted TrickBot activity drops 'PowerBrace' backdoor}}, date = {2019-07-11}, organization = {NTT Security}, url = {https://technical.nttsecurity.com/post/102fnog/targeted-trickbot-activity-drops-powerbrace-backdoor}, language = {English}, urldate = {2019-12-18} } Targeted TrickBot activity drops 'PowerBrace' backdoor
PowerBrace TrickBot
2019-06-04SlideShareVitali Kremez
@online{kremez:20190604:inside:d633c6f, author = {Vitali Kremez}, title = {{Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vitali Kremez}}, date = {2019-06-04}, organization = {SlideShare}, url = {https://www.slideshare.net/proidea_conferences/inside-cybercrime-groups-harvesting-active-directory-for-fun-and-profit-vitali-kremez}, language = {English}, urldate = {2020-01-13} } Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vitali Kremez
TrickBot
2019-05-22sneakymonk3y (Mark)
@online{mark:20190522:trickbot:277256b, author = {sneakymonk3y (Mark)}, title = {{TRICKBOT - Analysis}}, date = {2019-05-22}, url = {https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/}, language = {English}, urldate = {2020-01-06} } TRICKBOT - Analysis
TrickBot
2019-05-09GovCERT.chGovCERT.ch
@online{govcertch:20190509:severe:2767782, author = {GovCERT.ch}, title = {{Severe Ransomware Attacks Against Swiss SMEs}}, date = {2019-05-09}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes}, language = {English}, urldate = {2019-07-11} } Severe Ransomware Attacks Against Swiss SMEs
Emotet LockerGoga Ryuk TrickBot
2019-05-02CERT.PLMichał Praszmo
@online{praszmo:20190502:detricking:43a7dc1, author = {Michał Praszmo}, title = {{Detricking TrickBot Loader}}, date = {2019-05-02}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/detricking-trickbot-loader/}, language = {English}, urldate = {2020-01-08} } Detricking TrickBot Loader
TrickBot
2019-04-05Medium vishal_thakurVishal Thakur
@online{thakur:20190405:trickbot:d1c4891, author = {Vishal Thakur}, title = {{Trickbot — a concise treatise}}, date = {2019-04-05}, organization = {Medium vishal_thakur}, url = {https://medium.com/@vishal_29486/trickbot-a-concise-treatise-d7e4cc97f737}, language = {English}, urldate = {2020-01-13} } Trickbot — a concise treatise
TrickBot
2019-04-05FireEyeBrendan McKeague, Van Ta, Ben Fedore, Geoff Ackerman, Alex Pennino, Andrew Thompson, Douglas Bienstock
@online{mckeague:20190405:picksix:d101a59, author = {Brendan McKeague and Van Ta and Ben Fedore and Geoff Ackerman and Alex Pennino and Andrew Thompson and Douglas Bienstock}, title = {{Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware}}, date = {2019-04-05}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html}, language = {English}, urldate = {2019-12-20} } Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware
LockerGoga Ryuk FIN6
2019-04-02CybereasonNoa Pinkas, Lior Rochberger, Matan Zatz
@online{pinkas:20190402:triple:10a3e37, author = {Noa Pinkas and Lior Rochberger and Matan Zatz}, title = {{Triple Threat: Emotet Deploys Trickbot to Steal Data & Spread Ryuk}}, date = {2019-04-02}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware}, language = {English}, urldate = {2020-01-09} } Triple Threat: Emotet Deploys Trickbot to Steal Data & Spread Ryuk
Ryuk TrickBot
2019-03-26ANSSIANSSI
@techreport{anssi:20190326:informations:7965c3d, author = {ANSSI}, title = {{INFORMATIONS CONCERNANTLES RANÇONGICIELSLOCKERGOGA ET RYUK}}, date = {2019-03-26}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-005.pdf}, language = {French}, urldate = {2020-01-10} } INFORMATIONS CONCERNANTLES RANÇONGICIELSLOCKERGOGA ET RYUK
Ryuk
2019-03-20CrowdStrikeBrendon Feeley, Brett Stone-Gross
@online{feeley:20190320:new:07bf05b, author = {Brendon Feeley and Brett Stone-Gross}, title = {{New Evidence Proves Ongoing WIZARD SPIDER / LUNAR SPIDER Collaboration}}, date = {2019-03-20}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/wizard-spider-lunar-spider-shared-proxy-module/}, language = {English}, urldate = {2019-12-20} } New Evidence Proves Ongoing WIZARD SPIDER / LUNAR SPIDER Collaboration
Lunar Spider WIZARD SPIDER
2019-03-05PepperMalware BlogPepper Potts
@online{potts:20190305:quick:773aabc, author = {Pepper Potts}, title = {{Quick Analysis of a Trickbot Sample with NSA's Ghidra SRE Framework}}, date = {2019-03-05}, organization = {PepperMalware Blog}, url = {http://www.peppermalware.com/2019/03/quick-analysis-of-trickbot-sample-with.html}, language = {English}, urldate = {2019-12-19} } Quick Analysis of a Trickbot Sample with NSA's Ghidra SRE Framework
TrickBot
2019-02-15CrowdStrikeBrendon Feeley, Bex Hartley
@online{feeley:20190215:sinful:729f693, author = {Brendon Feeley and Bex Hartley}, title = {{“Sin”-ful SPIDERS: WIZARD SPIDER and LUNAR SPIDER Sharing the Same Web}}, date = {2019-02-15}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/}, language = {English}, urldate = {2019-12-20} } “Sin”-ful SPIDERS: WIZARD SPIDER and LUNAR SPIDER Sharing the Same Web
Dyre IcedID TrickBot Vawtrak Lunar Spider WIZARD SPIDER
2019-02-12Trend MicroTrend Micro
@online{micro:20190212:trickbot:73576ba, author = {Trend Micro}, title = {{Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire}}, date = {2019-02-12}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/}, language = {English}, urldate = {2020-01-12} } Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire
TrickBot
2019-01-11FireEyeKimberly Goody, Jeremy Kennelly, Jaideep Natu, Christopher Glyer
@online{goody:20190111:nasty:3c872d4, author = {Kimberly Goody and Jeremy Kennelly and Jaideep Natu and Christopher Glyer}, title = {{A Nasty Trick: From Credential Theft Malware to Business Disruption}}, date = {2019-01-11}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html}, language = {English}, urldate = {2019-12-20} } A Nasty Trick: From Credential Theft Malware to Business Disruption
Ryuk TrickBot GRIM SPIDER WIZARD SPIDER
2019-01-10CrowdStrikeAlexander Hanel
@online{hanel:20190110:big:7e10bdf, author = {Alexander Hanel}, title = {{Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware}}, date = {2019-01-10}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/}, language = {English}, urldate = {2019-12-20} } Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware
Ryuk GRIM SPIDER MUMMY SPIDER STARDUST CHOLLIMA WIZARD SPIDER
2019-01-09McAfeeJohn Fokker, Christiaan Beek
@online{fokker:20190109:ryuk:350f477, author = {John Fokker and Christiaan Beek}, title = {{Ryuk Ransomware Attack: Rush to Attribution Misses the Point}}, date = {2019-01-09}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/}, language = {English}, urldate = {2020-01-09} } Ryuk Ransomware Attack: Rush to Attribution Misses the Point
Ryuk
2019Virus BulletinGabriela Nicolao, Luciano Martins
@techreport{nicolao:2019:shinigamis:8397861, author = {Gabriela Nicolao and Luciano Martins}, title = {{Shinigami's Revenge: The Long Tail of Ryuk Malware}}, date = {2019}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-NicolaoMartins.pdf}, language = {English}, urldate = {2020-01-05} } Shinigami's Revenge: The Long Tail of Ryuk Malware
Ryuk
2018-12-29Los Angeles TimesTony Barboza, Meg James, Emily Alpert Reyes
@online{barboza:20181229:malware:d5d8d0d, author = {Tony Barboza and Meg James and Emily Alpert Reyes}, title = {{Malware attack disrupts delivery of L.A. Times and Tribune papers across the U.S.}}, date = {2018-12-29}, organization = {Los Angeles Times}, url = {https://www.latimes.com/local/lanow/la-me-ln-times-delivery-disruption-20181229-story.html}, language = {English}, urldate = {2020-01-10} } Malware attack disrupts delivery of L.A. Times and Tribune papers across the U.S.
Ryuk
2018-12-12SecureDataWicus Ross
@online{ross:20181212:trickbot:7a0e2a6, author = {Wicus Ross}, title = {{The TrickBot and MikroTik connection}}, date = {2018-12-12}, organization = {SecureData}, url = {https://www.infosecurity-magazine.com/blogs/trickbot-mikrotik-connection/}, language = {English}, urldate = {2020-05-18} } The TrickBot and MikroTik connection
TrickBot
2018-12-05VIPREVIPRE Labs
@online{labs:20181205:trickbots:b45d588, author = {VIPRE Labs}, title = {{Trickbot’s Tricks}}, date = {2018-12-05}, organization = {VIPRE}, url = {https://labs.vipre.com/trickbots-tricks/}, language = {English}, urldate = {2020-01-09} } Trickbot’s Tricks
TrickBot
2018-11-12Malwarebyteshasherezade
@online{hasherezade:20181112:whats:e44d5f3, author = {hasherezade}, title = {{What’s new in TrickBot? Deobfuscating elements}}, date = {2018-11-12}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/malware-threat-analysis/2018/11/whats-new-trickbot-deobfuscating-elements/}, language = {English}, urldate = {2019-12-20} } What’s new in TrickBot? Deobfuscating elements
TrickBot
2018-11-08FortinetXiaopeng Zhang
@online{zhang:20181108:deep:fca360c, author = {Xiaopeng Zhang}, title = {{Deep Analysis of TrickBot New Module pwgrab}}, date = {2018-11-08}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/deep-analysis-of-trickbot-new-module-pwgrab.html}, language = {English}, urldate = {2019-11-17} } Deep Analysis of TrickBot New Module pwgrab
TrickBot
2018-11-01Trend MicroNoel Anthony Llimos, Carl Maverick Pascual
@online{llimos:20181101:trickbot:7d0ea94, author = {Noel Anthony Llimos and Carl Maverick Pascual}, title = {{Trickbot Shows Off New Trick: Password Grabber Module}}, date = {2018-11-01}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-shows-off-new-trick-password-grabber-module}, language = {English}, urldate = {2020-01-06} } Trickbot Shows Off New Trick: Password Grabber Module
TrickBot
2018-08-20Check PointItay Cohen, Ben Herzog
@online{cohen:20180820:ryuk:5756495, author = {Itay Cohen and Ben Herzog}, title = {{Ryuk Ransomware: A Targeted Campaign Break-Down}}, date = {2018-08-20}, organization = {Check Point}, url = {https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/}, language = {English}, urldate = {2019-12-10} } Ryuk Ransomware: A Targeted Campaign Break-Down
Ryuk
2018-08-14CyberbitHod Gavriel
@online{gavriel:20180814:latest:7df6364, author = {Hod Gavriel}, title = {{Latest Trickbot Variant has New Tricks Up Its Sleeve}}, date = {2018-08-14}, organization = {Cyberbit}, url = {https://www.cyberbit.com/latest-trickbot-variant-has-new-tricks-up-its-sleeve/}, language = {English}, urldate = {2020-08-21} } Latest Trickbot Variant has New Tricks Up Its Sleeve
TrickBot
2018-07-03Talos IntelligenceBen Baker, Holger Unterbrink
@online{baker:20180703:smoking:067be1f, author = {Ben Baker and Holger Unterbrink}, title = {{Smoking Guns - Smoke Loader learned new tricks}}, date = {2018-07-03}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html}, language = {English}, urldate = {2019-10-14} } Smoking Guns - Smoke Loader learned new tricks
SmokeLoader TrickBot
2018-06-20OALabs
@online{oalabs:20180620:unpacking:e4d59a4, author = {OALabs}, title = {{Unpacking and Extracting TrickBot Malware Configuration With x64dbg and Python}}, date = {2018-06-20}, url = {https://www.youtube.com/watch?v=EdchPEHnohw}, language = {English}, urldate = {2019-12-24} } Unpacking and Extracting TrickBot Malware Configuration With x64dbg and Python
TrickBot
2018-06-13Github (JR0driguezB)Jorge Rodriguez
@online{rodriguez:20180613:trickbot:e004ae8, author = {Jorge Rodriguez}, title = {{TrickBot config files}}, date = {2018-06-13}, organization = {Github (JR0driguezB)}, url = {https://github.com/JR0driguezB/malware_configs/tree/master/TrickBot}, language = {English}, urldate = {2019-07-11} } TrickBot config files
TrickBot
2018-04-16Random REsysopfb
@online{sysopfb:20180416:trickbot:5305f46, author = {sysopfb}, title = {{TrickBot & UACME}}, date = {2018-04-16}, organization = {Random RE}, url = {https://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html}, language = {English}, urldate = {2020-01-09} } TrickBot & UACME
TrickBot
2018-04-03Vitali Kremez BlogVitali Kremez
@online{kremez:20180403:lets:b45dd50, author = {Vitali Kremez}, title = {{Let's Learn: Trickbot Implements Network Collector Module Leveraging CMD, WMI & LDAP}}, date = {2018-04-03}, organization = {Vitali Kremez Blog}, url = {http://www.vkremez.com/2018/04/lets-learn-trickbot-implements-network.html}, language = {English}, urldate = {2019-07-27} } Let's Learn: Trickbot Implements Network Collector Module Leveraging CMD, WMI & LDAP
TrickBot
2018-03-31Youtube (hasherezade)hasherezade
@online{hasherezade:20180331:deobfuscating:39c1be0, author = {hasherezade}, title = {{Deobfuscating TrickBot's strings with libPeConv}}, date = {2018-03-31}, organization = {Youtube (hasherezade)}, url = {https://www.youtube.com/watch?v=KMcSAlS9zGE}, language = {English}, urldate = {2020-01-13} } Deobfuscating TrickBot's strings with libPeConv
TrickBot
2018-03-27Trend MicroTrendmicro
@online{trendmicro:20180327:evolving:faa2e54, author = {Trendmicro}, title = {{Evolving Trickbot Adds Detection Evasion and Screen-Locking Features}}, date = {2018-03-27}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/evolving-trickbot-adds-detection-evasion-and-screen-locking-features}, language = {English}, urldate = {2020-01-07} } Evolving Trickbot Adds Detection Evasion and Screen-Locking Features
TrickBot
2018-03-21WebrootJason Davison
@online{davison:20180321:trickbot:1f0576e, author = {Jason Davison}, title = {{TrickBot Banking Trojan Adapts with New Module}}, date = {2018-03-21}, organization = {Webroot}, url = {https://www.webroot.com/blog/2018/03/21/trickbot-banking-trojan-adapts-new-module/}, language = {English}, urldate = {2020-01-13} } TrickBot Banking Trojan Adapts with New Module
TrickBot
2018-02-15SecurityIntelligenceOphir Harpaz, Magal Baz, Limor Kessem
@online{harpaz:20180215:trickbots:2cf1b53, author = {Ophir Harpaz and Magal Baz and Limor Kessem}, title = {{TrickBot’s Cryptocurrency Hunger: Tricking the Bitcoin Out of Wallets}}, date = {2018-02-15}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/trickbots-cryptocurrency-hunger-tricking-the-bitcoin-out-of-wallets/}, language = {English}, urldate = {2020-01-06} } TrickBot’s Cryptocurrency Hunger: Tricking the Bitcoin Out of Wallets
TrickBot
2018-02-01Malware Traffic AnalysisBrad Duncan
@online{duncan:20180201:quick:320f855, author = {Brad Duncan}, title = {{Quick Test Drive of Trickbot (It now has a Monero Module)}}, date = {2018-02-01}, organization = {Malware Traffic Analysis}, url = {http://www.malware-traffic-analysis.net/2018/02/01/}, language = {English}, urldate = {2019-07-09} } Quick Test Drive of Trickbot (It now has a Monero Module)
TrickBot
2017-12-30Youtube (hasherezade)hasherezade
@online{hasherezade:20171230:unpacking:5477bb2, author = {hasherezade}, title = {{Unpacking TrickBot with PE-sieve}}, date = {2017-12-30}, organization = {Youtube (hasherezade)}, url = {https://www.youtube.com/watch?v=lTywPmZEU1A}, language = {English}, urldate = {2020-01-06} } Unpacking TrickBot with PE-sieve
TrickBot
2017-12-19Vitali Kremez BlogVitali Kremez
@online{kremez:20171219:lets:030e09a, author = {Vitali Kremez}, title = {{Let's Learn: Introducing New Trickbot LDAP "DomainGrabber" Module}}, date = {2017-12-19}, organization = {Vitali Kremez Blog}, url = {http://www.vkremez.com/2017/12/lets-learn-introducing-new-trickbot.html}, language = {English}, urldate = {2019-11-23} } Let's Learn: Introducing New Trickbot LDAP "DomainGrabber" Module
TrickBot
2017-11-22FlashpointVitali Kremez
@online{kremez:20171122:trickbot:faea11e, author = {Vitali Kremez}, title = {{Trickbot Gang Evolves, Incorporates Account Checking Into Hybrid Attack Model}}, date = {2017-11-22}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/trickbot-account-checking-hybrid-attack-model/}, language = {English}, urldate = {2019-12-10} } Trickbot Gang Evolves, Incorporates Account Checking Into Hybrid Attack Model
TrickBot
2017-11-21Vitali Kremez
@online{kremez:20171121:lets:5fb17b0, author = {Vitali Kremez}, title = {{Let's Learn: Trickbot Socks5 Backconnect Module In Detail}}, date = {2017-11-21}, url = {http://www.vkremez.com/2017/11/lets-learn-trickbot-socks5-backconnect.html}, language = {English}, urldate = {2019-11-22} } Let's Learn: Trickbot Socks5 Backconnect Module In Detail
TrickBot
2017-10-06BluelivBlueliv
@online{blueliv:20171006:trickbot:a2a9ac8, author = {Blueliv}, title = {{TrickBot banking trojan using EFLAGS as an anti-hook technique}}, date = {2017-10-06}, organization = {Blueliv}, url = {https://www.blueliv.com/research/trickbot-banking-trojan-using-eflags-as-an-anti-hook-technique/}, language = {English}, urldate = {2020-01-08} } TrickBot banking trojan using EFLAGS as an anti-hook technique
TrickBot
2017-08-01MalwarebytesMalwarebytes Labs
@online{labs:20170801:trickbot:222d8bc, author = {Malwarebytes Labs}, title = {{TrickBot comes up with new tricks: attacking Outlook and browsing data}}, date = {2017-08-01}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/}, language = {English}, urldate = {2019-12-20} } TrickBot comes up with new tricks: attacking Outlook and browsing data
TrickBot
2017-07-27FlashpointFlashpoint
@online{flashpoint:20170727:new:bb5c883, author = {Flashpoint}, title = {{New Version of “Trickbot” Adds Worm Propagation Module}}, date = {2017-07-27}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/}, language = {English}, urldate = {2020-01-13} } New Version of “Trickbot” Adds Worm Propagation Module
TrickBot
2017-07Ring Zero LabsRing Zero Labs
@online{labs:201707:trickbot:e738eaf, author = {Ring Zero Labs}, title = {{TrickBot Banking Trojan - DOC00039217.doc}}, date = {2017-07}, organization = {Ring Zero Labs}, url = {https://www.ringzerolabs.com/2017/07/trickbot-banking-trojan-doc00039217doc.html}, language = {English}, urldate = {2020-01-10} } TrickBot Banking Trojan - DOC00039217.doc
TrickBot
2017-06-15F5Sara Boddy, Jesse Smith, Doron Voolf
@online{boddy:20170615:trickbot:6eb1db4, author = {Sara Boddy and Jesse Smith and Doron Voolf}, title = {{Trickbot Expands Global Targets Beyond Banks and Payment Processors to CRMs}}, date = {2017-06-15}, organization = {F5}, url = {https://f5.com/labs/articles/threat-intelligence/malware/trickbot-expands-global-targets-beyond-banks-and-payment-processors-to-crms}, language = {English}, urldate = {2019-12-24} } Trickbot Expands Global Targets Beyond Banks and Payment Processors to CRMs
TrickBot
2017-06-12Security Art WorkMarc Salinas, JoséMiguel Holguín
@techreport{salinas:20170612:evolucin:9930231, author = {Marc Salinas and JoséMiguel Holguín}, title = {{Evolución de Trickbot}}, date = {2017-06-12}, institution = {Security Art Work}, url = {https://www.securityartwork.es/wp-content/uploads/2017/06/Informe_Evoluci%C3%B3n_Trickbot.pdf}, language = {Spanish}, urldate = {2020-01-10} } Evolución de Trickbot
TrickBot
2017-05-26PWCBart Parys
@online{parys:20170526:trickbots:c1b84e1, author = {Bart Parys}, title = {{TrickBot’s bag of tricks}}, date = {2017-05-26}, organization = {PWC}, url = {http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/trickbots-bag-of-tricks.html}, language = {English}, urldate = {2020-06-18} } TrickBot’s bag of tricks
TrickBot
2017-05-04ForbesThomas Brewster
@online{brewster:20170504:behind:4da1ded, author = {Thomas Brewster}, title = {{Behind The Mystery Of Russia's 'Dyre' Hackers Who Stole Millions From American Business}}, date = {2017-05-04}, organization = {Forbes}, url = {https://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates}, language = {English}, urldate = {2020-01-09} } Behind The Mystery Of Russia's 'Dyre' Hackers Who Stole Millions From American Business
Dyre
2017-03-01FraudWatch InternationalFraudWatch International
@online{international:20170301:how:fb75ef9, author = {FraudWatch International}, title = {{How Does the Trickbot Malware Work?}}, date = {2017-03-01}, organization = {FraudWatch International}, url = {https://blog.fraudwatchinternational.com/malware/trickbot-malware-works}, language = {English}, urldate = {2020-01-08} } How Does the Trickbot Malware Work?
TrickBot
2016-12-07BotconfJoshua Adams
@techreport{adams:20161207:trickbot:fc3427c, author = {Joshua Adams}, title = {{The TrickBot Evolution}}, date = {2016-12-07}, institution = {Botconf}, url = {https://www.botconf.eu/wp-content/uploads/2016/11/2016-LT09-TrickBot-Adams.pdf}, language = {English}, urldate = {2020-01-09} } The TrickBot Evolution
TrickBot
2016-12-06FortinetXiaopeng Zhang
@online{zhang:20161206:deep:1f1521f, author = {Xiaopeng Zhang}, title = {{Deep Analysis of the Online Banking Botnet TrickBot}}, date = {2016-12-06}, organization = {Fortinet}, url = {http://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot}, language = {English}, urldate = {2020-01-08} } Deep Analysis of the Online Banking Botnet TrickBot
TrickBot
2016-11-09Lior Keshet
@online{keshet:20161109:tricks:c3ab510, author = {Lior Keshet}, title = {{Tricks of the Trade: A Deeper Look Into TrickBot’s Machinations}}, date = {2016-11-09}, url = {https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/}, language = {English}, urldate = {2019-10-17} } Tricks of the Trade: A Deeper Look Into TrickBot’s Machinations
TrickBot
2016-11-07F5 LabsJulia Karpin, Shaul Vilkomir-Preisman, Anna Dorfman
@online{karpin:20161107:little:598f939, author = {Julia Karpin and Shaul Vilkomir-Preisman and Anna Dorfman}, title = {{Little Trickbot Growing Up: New Campaign}}, date = {2016-11-07}, organization = {F5 Labs}, url = {https://f5.com/labs/articles/threat-intelligence/malware/little-trickbot-growing-up-new-campaign-24412}, language = {English}, urldate = {2020-01-06} } Little Trickbot Growing Up: New Campaign
TrickBot
2016-10-25NetScoutASERT Team
@online{team:20161025:trickbot:dd465d9, author = {ASERT Team}, title = {{TrickBot Banker Insights}}, date = {2016-10-25}, organization = {NetScout}, url = {https://www.arbornetworks.com/blog/asert/trickbot-banker-insights/}, language = {English}, urldate = {2019-07-11} } TrickBot Banker Insights
TrickBot
2016-10-24MalwarebytesMalwarebytes Labs
@online{labs:20161024:introducing:e59ac27, author = {Malwarebytes Labs}, title = {{Introducing TrickBot, Dyreza’s successor}}, date = {2016-10-24}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/}, language = {English}, urldate = {2019-12-20} } Introducing TrickBot, Dyreza’s successor
TrickBot
2016-10-15Fidelis CybersecurityThreat Research Team
@online{team:20161015:trickbot:cc9f48f, author = {Threat Research Team}, title = {{TrickBot: We Missed you, Dyre}}, date = {2016-10-15}, organization = {Fidelis Cybersecurity}, url = {https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre}, language = {English}, urldate = {2019-11-28} } TrickBot: We Missed you, Dyre
TrickBot
2015-11-04Malwarebyteshasherezade
@online{hasherezade:20151104:technical:abd2b27, author = {hasherezade}, title = {{A Technical Look At Dyreza}}, date = {2015-11-04}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/}, language = {English}, urldate = {2019-12-20} } A Technical Look At Dyreza
Dyre
2015-10-26BluelivBlueliv
@techreport{blueliv:20151026:chasing:975ef1a, author = {Blueliv}, title = {{Chasing cybercrime: network insights of Dyre and Dridex Trojan bankers}}, date = {2015-10-26}, institution = {Blueliv}, url = {https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf}, language = {English}, urldate = {2020-01-13} } Chasing cybercrime: network insights of Dyre and Dridex Trojan bankers
Dridex Dyre
2015-07-07FireEyeSudeep Singh, Yu Wang
@online{singh:20150707:dyre:07242f2, author = {Sudeep Singh and Yu Wang}, title = {{Dyre Banking Trojan Exploits CVE-2015-0057}}, date = {2015-07-07}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2015/07/dyre_banking_trojan.html}, language = {English}, urldate = {2020-06-08} } Dyre Banking Trojan Exploits CVE-2015-0057
Dyre

Credits: MISP Project