Wizard Spider is reportedly associated with Grim Spider and Lunar Spider.
The WIZARD SPIDER threat group is the Russia-based operator of the TrickBot banking malware. This group represents a growing criminal enterprise of which GRIM SPIDER appears to be a subset. The LUNAR SPIDER threat group is the Eastern European-based operator and developer of the commodity banking malware called BokBot (aka IcedID), which was first observed in April 2017. The BokBot malware provides LUNAR SPIDER affiliates with a variety of capabilities to enable credential theft and wire fraud, through the use of webinjects and a malware distribution function.
GRIM SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return. This methodology, known as “big game hunting,” signals a shift in operations for WIZARD SPIDER, a criminal enterprise of which GRIM SPIDER appears to be a cell. The WIZARD SPIDER threat group, known as the Russia-based operator of the TrickBot banking malware, had focused primarily on wire fraud in the past.
2020-01-17 ⋅ Ken Sajo, Yasuhiro Takeda, Yusuke Niwa
@techreport{sajo:20200117:battle:2b146f5,
author = {Ken Sajo and Yasuhiro Takeda and Yusuke Niwa},
title = {{Battle Against Ursnif Malspam Campaign targeting Japan}},
date = {2020-01-17},
institution = {},
url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf},
language = {English},
urldate = {2020-01-17}
}
Battle Against Ursnif Malspam Campaign targeting Japan
Cutwail ISFB TrickBot UrlZone |
2020-01-16 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20200116:trickbot:ed6fdb3,
author = {Lawrence Abrams},
title = {{TrickBot Now Uses a Windows 10 UAC Bypass to Evade Detection}},
date = {2020-01-16},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/trickbot-now-uses-a-windows-10-uac-bypass-to-evade-detection/},
language = {English},
urldate = {2020-01-20}
}
TrickBot Now Uses a Windows 10 UAC Bypass to Evade Detection
TrickBot |
2020-01-14 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20200114:ryuk:b2e47fa,
author = {Lawrence Abrams},
title = {{Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices}},
date = {2020-01-14},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/},
language = {English},
urldate = {2020-01-15}
}
Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices
Ryuk |
2020-01-10 ⋅ CSIS ⋅ CSIS
@techreport{csis:20200110:threat:7454f36,
author = {CSIS},
title = {{Threat Matrix H1 2019}},
date = {2020-01-10},
institution = {CSIS},
url = {https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf},
language = {English},
urldate = {2020-01-22}
}
Threat Matrix H1 2019
Gustuff magecart Emotet Gandcrab Ramnit TrickBot |
2020-01-09 ⋅ SentinelOne ⋅ Vitali Kremez, Joshua Platt, Jason Reaves
@online{kremez:20200109:toptier:4f8de90,
author = {Vitali Kremez and Joshua Platt and Jason Reaves},
title = {{Top-Tier Russian Organized Cybercrime Group Unveils Fileless Stealthy “PowerTrick” Backdoor for High-Value Targets}},
date = {2020-01-09},
organization = {SentinelOne},
url = {https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/},
language = {English},
urldate = {2020-01-13}
}
Top-Tier Russian Organized Cybercrime Group Unveils Fileless Stealthy “PowerTrick” Backdoor for High-Value Targets
TrickBot WIZARD SPIDER |
2019-12-26 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20191226:ryuk:acc2284,
author = {Lawrence Abrams},
title = {{Ryuk Ransomware Stops Encrypting Linux Folders}},
date = {2019-12-26},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-stops-encrypting-linux-folders/},
language = {English},
urldate = {2020-01-08}
}
Ryuk Ransomware Stops Encrypting Linux Folders
Ryuk |
2019-12-21 ⋅ Decrypt ⋅ Adriana Hamacher
@online{hamacher:20191221:how:9d026a8,
author = {Adriana Hamacher},
title = {{How ransomware exploded in the age of Bitcoin}},
date = {2019-12-21},
organization = {Decrypt},
url = {https://decrypt.co/15394/how-ransomware-exploded-in-the-age-of-btc},
language = {English},
urldate = {2020-01-13}
}
How ransomware exploded in the age of Bitcoin
Ryuk |
2019-12-19 ⋅ Malwarebytes ⋅ Jovi Umawing
@online{umawing:20191219:threat:552a941,
author = {Jovi Umawing},
title = {{Threat spotlight: the curious case of Ryuk ransomware}},
date = {2019-12-19},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/threat-spotlight/2019/12/threat-spotlight-the-curious-case-of-ryuk-ransomware/},
language = {English},
urldate = {2020-01-08}
}
Threat spotlight: the curious case of Ryuk ransomware
Ryuk |
2019-12-15 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20191215:ryuk:74f6eab,
author = {Lawrence Abrams},
title = {{Ryuk Ransomware Likely Behind New Orleans Cyberattack}},
date = {2019-12-15},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-likely-behind-new-orleans-cyberattack/},
language = {English},
urldate = {2020-01-13}
}
Ryuk Ransomware Likely Behind New Orleans Cyberattack
Ryuk |
2019-12-11 ⋅ Cybereason ⋅ Assaf Dahan, Lior Rochberger, Eli Salem, Mary Zhao, Niv Yona, Omer Yampel, Matt Hart
@online{dahan:20191211:dropping:0849f70,
author = {Assaf Dahan and Lior Rochberger and Eli Salem and Mary Zhao and Niv Yona and Omer Yampel and Matt Hart},
title = {{Dropping Anchor: From a TrickBot Infection to the Discovery of the Anchor Malware}},
date = {2019-12-11},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware},
language = {English},
urldate = {2020-01-06}
}
Dropping Anchor: From a TrickBot Infection to the Discovery of the Anchor Malware
Anchor WIZARD SPIDER |
2019-12-09 ⋅ Emsisoft ⋅ EmsiSoft Malware Lab
@online{lab:20191209:caution:05ff83a,
author = {EmsiSoft Malware Lab},
title = {{Caution! Ryuk Ransomware decryptor damages larger files, even if you pay}},
date = {2019-12-09},
organization = {Emsisoft},
url = {https://blog.emsisoft.com/en/35023/bug-in-latest-ryuk-decryptor-may-cause-data-loss/},
language = {English},
urldate = {2020-01-07}
}
Caution! Ryuk Ransomware decryptor damages larger files, even if you pay
Ryuk |
2019-12-09 ⋅ Palo Alto Networks Unit 42 ⋅ Bryan Lee, Brittany Ash, Mike Harbison
@online{lee:20191209:trickbot:48d9da3,
author = {Bryan Lee and Brittany Ash and Mike Harbison},
title = {{TrickBot Campaign Uses Fake Payroll Emails to Conduct Phishing Attacks}},
date = {2019-12-09},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/trickbot-campaign-uses-fake-payroll-emails-to-conduct-phishing-attacks/},
language = {English},
urldate = {2020-01-22}
}
TrickBot Campaign Uses Fake Payroll Emails to Conduct Phishing Attacks
TrickBot |
2019-11-27 ⋅ Twitter (@Prosegur) ⋅ Prosegur
@online{prosegur:20191127:incident:bd76c3f,
author = {Prosegur},
title = {{Tweet on Incident of Information Security}},
date = {2019-11-27},
organization = {Twitter (@Prosegur)},
url = {https://twitter.com/Prosegur/status/1199732264386596864},
language = {English},
urldate = {2020-01-09}
}
Tweet on Incident of Information Security
Ryuk |
2019-11-22 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan
@online{duncan:20191122:trickbot:e14933b,
author = {Brad Duncan},
title = {{Trickbot Updates Password Grabber Module}},
date = {2019-11-22},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/trickbot-updates-password-grabber-module/},
language = {English},
urldate = {2020-01-22}
}
Trickbot Updates Password Grabber Module
TrickBot |
2019-11-08 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan
@online{duncan:20191108:wireshark:f37b983,
author = {Brad Duncan},
title = {{Wireshark Tutorial: Examining Trickbot Infections}},
date = {2019-11-08},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-infections/},
language = {English},
urldate = {2020-01-06}
}
Wireshark Tutorial: Examining Trickbot Infections
TrickBot |
2019-11-06 ⋅ Heise Security ⋅ Thomas Hungenberg
@online{hungenberg:20191106:emotet:1605954,
author = {Thomas Hungenberg},
title = {{Emotet, Trickbot, Ryuk – ein explosiver Malware-Cocktail}},
date = {2019-11-06},
organization = {Heise Security},
url = {https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html},
language = {German},
urldate = {2020-01-06}
}
Emotet, Trickbot, Ryuk – ein explosiver Malware-Cocktail
Emotet Ryuk TrickBot |
2019-11 ⋅ CCN-CERT ⋅ CCN-CERT
@online{ccncert:201911:informe:69b39b5,
author = {CCN-CERT},
title = {{Informe Código Dañino CCN-CERT ID-26/19}},
date = {2019-11},
organization = {CCN-CERT},
url = {https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos/4217-ccn-cert-id-26-19-ryuk-1/file.html},
language = {Espanyol},
urldate = {2020-01-10}
}
Informe Código Dañino CCN-CERT ID-26/19
Ryuk |
2019-11-01 ⋅ CrowdStrike ⋅ Alexander Hanel, Brett Stone-Gross
@online{hanel:20191101:wizard:a34a09e,
author = {Alexander Hanel and Brett Stone-Gross},
title = {{WIZARD SPIDER Adds New Features to Ryuk for Targeting Hosts on LAN}},
date = {2019-11-01},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/},
language = {English},
urldate = {2019-12-20}
}
WIZARD SPIDER Adds New Features to Ryuk for Targeting Hosts on LAN
Ryuk WIZARD SPIDER |
2019-10-29 ⋅ SneakyMonkey Blog ⋅ SneakyMonkey
@online{sneakymonkey:20191029:trickbot:bd7249c,
author = {SneakyMonkey},
title = {{TRICKBOT - Analysis Part II}},
date = {2019-10-29},
organization = {SneakyMonkey Blog},
url = {https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/},
language = {English},
urldate = {2019-12-17}
}
TRICKBOT - Analysis Part II
TrickBot |
2019-09-25 ⋅ GovCERT.ch ⋅ GovCERT.ch
@online{govcertch:20190925:trickbot:8346dd7,
author = {GovCERT.ch},
title = {{Trickbot - An analysis of data collected from the botnet}},
date = {2019-09-25},
organization = {GovCERT.ch},
url = {https://www.govcert.ch/blog/37/trickbot-an-analysis-of-data-collected-from-the-botnet},
language = {English},
urldate = {2020-01-08}
}
Trickbot - An analysis of data collected from the botnet
TrickBot |
2019-09-09 ⋅ McAfee ⋅ Thomas Roccia, Marc Rivero López, Chintan Shah
@online{roccia:20190909:evolution:baf3b6c,
author = {Thomas Roccia and Marc Rivero López and Chintan Shah},
title = {{Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study}},
date = {2019-09-09},
organization = {McAfee},
url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/},
language = {English},
urldate = {2020-01-10}
}
Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study
Cutwail Dridex Dyre Kovter Locky Phorpiex Simda |
2019-08-27 ⋅ Secureworks ⋅ CTU Research Team
@online{team:20190827:trickbot:fa5f95b,
author = {CTU Research Team},
title = {{TrickBot Modifications Target U.S. Mobile Users}},
date = {2019-08-27},
organization = {Secureworks},
url = {https://www.secureworks.com/blog/trickbot-modifications-target-us-mobile-users},
language = {English},
urldate = {2020-01-09}
}
TrickBot Modifications Target U.S. Mobile Users
TrickBot |
2019-08-26 ⋅ InQuest ⋅ Josiah Smith
@online{smith:20190826:memory:c4cea9b,
author = {Josiah Smith},
title = {{Memory Analysis of TrickBot}},
date = {2019-08-26},
organization = {InQuest},
url = {https://inquest.net/blog/2019/08/26/TrickBot-Memory-Analysis},
language = {English},
urldate = {2020-01-10}
}
Memory Analysis of TrickBot
TrickBot |
2019-08-05 ⋅ Trend Micro ⋅ Noel Anthony Llimos, Michael Jhon Ofiaza
@online{llimos:20190805:latest:62ba94b,
author = {Noel Anthony Llimos and Michael Jhon Ofiaza},
title = {{Latest Trickbot Campaign Delivered via Highly Obfuscated JS File}},
date = {2019-08-05},
organization = {Trend Micro},
url = {https://blog.trendmicro.com/trendlabs-security-intelligence/latest-trickbot-campaign-delivered-via-highly-obfuscated-js-file/},
language = {English},
urldate = {2020-01-23}
}
Latest Trickbot Campaign Delivered via Highly Obfuscated JS File
ostap TrickBot |
2019-07-11 ⋅ NTT Security ⋅ NTT Security
@online{security:20190711:targeted:a48e692,
author = {NTT Security},
title = {{Targeted TrickBot activity drops 'PowerBrace' backdoor}},
date = {2019-07-11},
organization = {NTT Security},
url = {https://technical.nttsecurity.com/post/102fnog/targeted-trickbot-activity-drops-powerbrace-backdoor},
language = {English},
urldate = {2019-12-18}
}
Targeted TrickBot activity drops 'PowerBrace' backdoor
PowerBrace TrickBot |
2019-06-04 ⋅ SlideShare ⋅ Vitali Kremez
@online{kremez:20190604:inside:d633c6f,
author = {Vitali Kremez},
title = {{Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vitali Kremez}},
date = {2019-06-04},
organization = {SlideShare},
url = {https://www.slideshare.net/proidea_conferences/inside-cybercrime-groups-harvesting-active-directory-for-fun-and-profit-vitali-kremez},
language = {English},
urldate = {2020-01-13}
}
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vitali Kremez
TrickBot |
2019-05-22 ⋅ sneakymonk3y (Mark)
@online{mark:20190522:trickbot:277256b,
author = {sneakymonk3y (Mark)},
title = {{TRICKBOT - Analysis}},
date = {2019-05-22},
url = {https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/},
language = {English},
urldate = {2020-01-06}
}
TRICKBOT - Analysis
TrickBot |
2019-05-09 ⋅ GovCERT.ch ⋅ GovCERT.ch
@online{govcertch:20190509:severe:2767782,
author = {GovCERT.ch},
title = {{Severe Ransomware Attacks Against Swiss SMEs}},
date = {2019-05-09},
organization = {GovCERT.ch},
url = {https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes},
language = {English},
urldate = {2019-07-11}
}
Severe Ransomware Attacks Against Swiss SMEs
Emotet LockerGoga Ryuk TrickBot |
2019-05-02 ⋅ CERT.PL ⋅ Michał Praszmo
@online{praszmo:20190502:detricking:43a7dc1,
author = {Michał Praszmo},
title = {{Detricking TrickBot Loader}},
date = {2019-05-02},
organization = {CERT.PL},
url = {https://www.cert.pl/en/news/single/detricking-trickbot-loader/},
language = {English},
urldate = {2020-01-08}
}
Detricking TrickBot Loader
TrickBot |
2019-04-05 ⋅ FireEye ⋅ Brendan McKeague, Van Ta, Ben Fedore, Geoff Ackerman, Alex Pennino, Andrew Thompson, Douglas Bienstock
@online{mckeague:20190405:picksix:d101a59,
author = {Brendan McKeague and Van Ta and Ben Fedore and Geoff Ackerman and Alex Pennino and Andrew Thompson and Douglas Bienstock},
title = {{Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware}},
date = {2019-04-05},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html},
language = {English},
urldate = {2019-12-20}
}
Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware
LockerGoga Ryuk FIN6 |
2019-04-05 ⋅ Medium vishal_thakur ⋅ Vishal Thakur
@online{thakur:20190405:trickbot:d1c4891,
author = {Vishal Thakur},
title = {{Trickbot — a concise treatise}},
date = {2019-04-05},
organization = {Medium vishal_thakur},
url = {https://medium.com/@vishal_29486/trickbot-a-concise-treatise-d7e4cc97f737},
language = {English},
urldate = {2020-01-13}
}
Trickbot — a concise treatise
TrickBot |
2019-04-02 ⋅ Cybereason ⋅ Noa Pinkas, Lior Rochberger, Matan Zatz
@online{pinkas:20190402:triple:10a3e37,
author = {Noa Pinkas and Lior Rochberger and Matan Zatz},
title = {{Triple Threat: Emotet Deploys Trickbot to Steal Data & Spread Ryuk}},
date = {2019-04-02},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware},
language = {English},
urldate = {2020-01-09}
}
Triple Threat: Emotet Deploys Trickbot to Steal Data & Spread Ryuk
Ryuk TrickBot |
2019-03-26 ⋅ ANSSI ⋅ ANSSI
@techreport{anssi:20190326:informations:7965c3d,
author = {ANSSI},
title = {{INFORMATIONS CONCERNANTLES RANÇONGICIELSLOCKERGOGA ET RYUK}},
date = {2019-03-26},
institution = {ANSSI},
url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-005.pdf},
language = {French},
urldate = {2020-01-10}
}
INFORMATIONS CONCERNANTLES RANÇONGICIELSLOCKERGOGA ET RYUK
Ryuk |
2019-03-20 ⋅ CrowdStrike ⋅ Brendon Feeley, Brett Stone-Gross
@online{feeley:20190320:new:07bf05b,
author = {Brendon Feeley and Brett Stone-Gross},
title = {{New Evidence Proves Ongoing WIZARD SPIDER / LUNAR SPIDER Collaboration}},
date = {2019-03-20},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/wizard-spider-lunar-spider-shared-proxy-module/},
language = {English},
urldate = {2019-12-20}
}
New Evidence Proves Ongoing WIZARD SPIDER / LUNAR SPIDER Collaboration
Lunar Spider WIZARD SPIDER |
2019-03-05 ⋅ PepperMalware Blog ⋅ Pepper Potts
@online{potts:20190305:quick:773aabc,
author = {Pepper Potts},
title = {{Quick Analysis of a Trickbot Sample with NSA's Ghidra SRE Framework}},
date = {2019-03-05},
organization = {PepperMalware Blog},
url = {http://www.peppermalware.com/2019/03/quick-analysis-of-trickbot-sample-with.html},
language = {English},
urldate = {2019-12-19}
}
Quick Analysis of a Trickbot Sample with NSA's Ghidra SRE Framework
TrickBot |
2019-02-15 ⋅ CrowdStrike ⋅ Brendon Feeley, Bex Hartley
@online{feeley:20190215:sinful:729f693,
author = {Brendon Feeley and Bex Hartley},
title = {{“Sin”-ful SPIDERS: WIZARD SPIDER and LUNAR SPIDER Sharing the Same Web}},
date = {2019-02-15},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/},
language = {English},
urldate = {2019-12-20}
}
“Sin”-ful SPIDERS: WIZARD SPIDER and LUNAR SPIDER Sharing the Same Web
Dyre IcedID TrickBot Vawtrak Lunar Spider WIZARD SPIDER |
2019-02-12 ⋅ Trend Micro ⋅ Trend Micro
@online{micro:20190212:trickbot:73576ba,
author = {Trend Micro},
title = {{Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire}},
date = {2019-02-12},
organization = {Trend Micro},
url = {https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/},
language = {English},
urldate = {2020-01-12}
}
Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire
TrickBot |
2019-01-11 ⋅ FireEye ⋅ Kimberly Goody, Jeremy Kennelly, Jaideep Natu, Christopher Glyer
@online{goody:20190111:nasty:3c872d4,
author = {Kimberly Goody and Jeremy Kennelly and Jaideep Natu and Christopher Glyer},
title = {{A Nasty Trick: From Credential Theft Malware to Business Disruption}},
date = {2019-01-11},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html},
language = {English},
urldate = {2019-12-20}
}
A Nasty Trick: From Credential Theft Malware to Business Disruption
Ryuk TrickBot GRIM SPIDER WIZARD SPIDER |
2019-01-10 ⋅ CrowdStrike ⋅ Alexander Hanel
@online{hanel:20190110:big:7e10bdf,
author = {Alexander Hanel},
title = {{Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware}},
date = {2019-01-10},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/},
language = {English},
urldate = {2019-12-20}
}
Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware
Ryuk GRIM SPIDER MUMMY SPIDER STARDUST CHOLLIMA WIZARD SPIDER |
2019-01-09 ⋅ McAfee ⋅ John Fokker, Christiaan Beek
@online{fokker:20190109:ryuk:350f477,
author = {John Fokker and Christiaan Beek},
title = {{Ryuk Ransomware Attack: Rush to Attribution Misses the Point}},
date = {2019-01-09},
organization = {McAfee},
url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/},
language = {English},
urldate = {2020-01-09}
}
Ryuk Ransomware Attack: Rush to Attribution Misses the Point
Ryuk |
2019 ⋅ SecureData ⋅ Wicus Ross
@online{ross:2019:trickbot:7a0e2a6,
author = {Wicus Ross},
title = {{The TrickBot and MikroTik connection}},
date = {2019},
organization = {SecureData},
url = {https://www.secdata.com/the-trickbot-and-mikrotik/},
language = {English},
urldate = {2020-01-08}
}
The TrickBot and MikroTik connection
TrickBot |
2019 ⋅ Virus Bulletin ⋅ Gabriela Nicolao, Luciano Martins
@techreport{nicolao:2019:shinigamis:8397861,
author = {Gabriela Nicolao and Luciano Martins},
title = {{Shinigami's Revenge: The Long Tail of Ryuk Malware}},
date = {2019},
institution = {Virus Bulletin},
url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-NicolaoMartins.pdf},
language = {English},
urldate = {2020-01-05}
}
Shinigami's Revenge: The Long Tail of Ryuk Malware
Ryuk |
2018-12-29 ⋅ Los Angeles Times ⋅ Tony Barboza, Meg James, Emily Alpert Reyes
@online{barboza:20181229:malware:d5d8d0d,
author = {Tony Barboza and Meg James and Emily Alpert Reyes},
title = {{Malware attack disrupts delivery of L.A. Times and Tribune papers across the U.S.}},
date = {2018-12-29},
organization = {Los Angeles Times},
url = {https://www.latimes.com/local/lanow/la-me-ln-times-delivery-disruption-20181229-story.html},
language = {English},
urldate = {2020-01-10}
}
Malware attack disrupts delivery of L.A. Times and Tribune papers across the U.S.
Ryuk |
2018-12-05 ⋅ VIPRE ⋅ VIPRE Labs
@online{labs:20181205:trickbots:b45d588,
author = {VIPRE Labs},
title = {{Trickbot’s Tricks}},
date = {2018-12-05},
organization = {VIPRE},
url = {https://labs.vipre.com/trickbots-tricks/},
language = {English},
urldate = {2020-01-09}
}
Trickbot’s Tricks
TrickBot |
2018-11-12 ⋅ Malwarebytes ⋅ hasherezade
@online{hasherezade:20181112:whats:e44d5f3,
author = {hasherezade},
title = {{What’s new in TrickBot? Deobfuscating elements}},
date = {2018-11-12},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/threat-analysis/malware-threat-analysis/2018/11/whats-new-trickbot-deobfuscating-elements/},
language = {English},
urldate = {2019-12-20}
}
What’s new in TrickBot? Deobfuscating elements
TrickBot |
2018-11-08 ⋅ Fortinet ⋅ Xiaopeng Zhang
@online{zhang:20181108:deep:fca360c,
author = {Xiaopeng Zhang},
title = {{Deep Analysis of TrickBot New Module pwgrab}},
date = {2018-11-08},
organization = {Fortinet},
url = {https://www.fortinet.com/blog/threat-research/deep-analysis-of-trickbot-new-module-pwgrab.html},
language = {English},
urldate = {2019-11-17}
}
Deep Analysis of TrickBot New Module pwgrab
TrickBot |
2018-11-01 ⋅ Trend Micro ⋅ Noel Anthony Llimos, Carl Maverick Pascual
@online{llimos:20181101:trickbot:7d0ea94,
author = {Noel Anthony Llimos and Carl Maverick Pascual},
title = {{Trickbot Shows Off New Trick: Password Grabber Module}},
date = {2018-11-01},
organization = {Trend Micro},
url = {https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-shows-off-new-trick-password-grabber-module},
language = {English},
urldate = {2020-01-06}
}
Trickbot Shows Off New Trick: Password Grabber Module
TrickBot |
2018-08-20 ⋅ Check Point ⋅ Itay Cohen, Ben Herzog
@online{cohen:20180820:ryuk:5756495,
author = {Itay Cohen and Ben Herzog},
title = {{Ryuk Ransomware: A Targeted Campaign Break-Down}},
date = {2018-08-20},
organization = {Check Point},
url = {https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/},
language = {English},
urldate = {2019-12-10}
}
Ryuk Ransomware: A Targeted Campaign Break-Down
Ryuk |
2018-08-14 ⋅ Cyberbit ⋅ Hod Gavriel
@online{gavriel:20180814:latest:7df6364,
author = {Hod Gavriel},
title = {{Latest Trickbot Variant has New Tricks Up Its Sleeve}},
date = {2018-08-14},
organization = {Cyberbit},
url = {https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/},
language = {English},
urldate = {2019-11-26}
}
Latest Trickbot Variant has New Tricks Up Its Sleeve
TrickBot |
2018-07-03 ⋅ Talos Intelligence ⋅ Ben Baker, Holger Unterbrink
@online{baker:20180703:smoking:067be1f,
author = {Ben Baker and Holger Unterbrink},
title = {{Smoking Guns - Smoke Loader learned new tricks}},
date = {2018-07-03},
organization = {Talos Intelligence},
url = {https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html},
language = {English},
urldate = {2019-10-14}
}
Smoking Guns - Smoke Loader learned new tricks
SmokeLoader TrickBot |
2018-06-20 ⋅ OALabs
@online{oalabs:20180620:unpacking:e4d59a4,
author = {OALabs},
title = {{Unpacking and Extracting TrickBot Malware Configuration With x64dbg and Python}},
date = {2018-06-20},
url = {https://www.youtube.com/watch?v=EdchPEHnohw},
language = {English},
urldate = {2019-12-24}
}
Unpacking and Extracting TrickBot Malware Configuration With x64dbg and Python
TrickBot |
2018-06-13 ⋅ Github (JR0driguezB) ⋅ Jorge Rodriguez
@online{rodriguez:20180613:trickbot:e004ae8,
author = {Jorge Rodriguez},
title = {{TrickBot config files}},
date = {2018-06-13},
organization = {Github (JR0driguezB)},
url = {https://github.com/JR0driguezB/malware_configs/tree/master/TrickBot},
language = {English},
urldate = {2019-07-11}
}
TrickBot config files
TrickBot |
2018-04-16 ⋅ Random RE ⋅ sysopfb
@online{sysopfb:20180416:trickbot:5305f46,
author = {sysopfb},
title = {{TrickBot & UACME}},
date = {2018-04-16},
organization = {Random RE},
url = {https://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html},
language = {English},
urldate = {2020-01-09}
}
TrickBot & UACME
TrickBot |
2018-04-03 ⋅ Vitali Kremez Blog ⋅ Vitali Kremez
@online{kremez:20180403:lets:b45dd50,
author = {Vitali Kremez},
title = {{Let's Learn: Trickbot Implements Network Collector Module Leveraging CMD, WMI & LDAP}},
date = {2018-04-03},
organization = {Vitali Kremez Blog},
url = {http://www.vkremez.com/2018/04/lets-learn-trickbot-implements-network.html},
language = {English},
urldate = {2019-07-27}
}
Let's Learn: Trickbot Implements Network Collector Module Leveraging CMD, WMI & LDAP
TrickBot |
2018-03-31 ⋅ Youtube (hasherezade) ⋅ hasherezade
@online{hasherezade:20180331:deobfuscating:39c1be0,
author = {hasherezade},
title = {{Deobfuscating TrickBot's strings with libPeConv}},
date = {2018-03-31},
organization = {Youtube (hasherezade)},
url = {https://www.youtube.com/watch?v=KMcSAlS9zGE},
language = {English},
urldate = {2020-01-13}
}
Deobfuscating TrickBot's strings with libPeConv
TrickBot |
2018-03-27 ⋅ Trend Micro ⋅ Trendmicro
@online{trendmicro:20180327:evolving:faa2e54,
author = {Trendmicro},
title = {{Evolving Trickbot Adds Detection Evasion and Screen-Locking Features}},
date = {2018-03-27},
organization = {Trend Micro},
url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/evolving-trickbot-adds-detection-evasion-and-screen-locking-features},
language = {English},
urldate = {2020-01-07}
}
Evolving Trickbot Adds Detection Evasion and Screen-Locking Features
TrickBot |
2018-03-21 ⋅ Webroot ⋅ Jason Davison
@online{davison:20180321:trickbot:1f0576e,
author = {Jason Davison},
title = {{TrickBot Banking Trojan Adapts with New Module}},
date = {2018-03-21},
organization = {Webroot},
url = {https://www.webroot.com/blog/2018/03/21/trickbot-banking-trojan-adapts-new-module/},
language = {English},
urldate = {2020-01-13}
}
TrickBot Banking Trojan Adapts with New Module
TrickBot |
2018-02-15 ⋅ SecurityIntelligence ⋅ Ophir Harpaz, Magal Baz, Limor Kessem
@online{harpaz:20180215:trickbots:2cf1b53,
author = {Ophir Harpaz and Magal Baz and Limor Kessem},
title = {{TrickBot’s Cryptocurrency Hunger: Tricking the Bitcoin Out of Wallets}},
date = {2018-02-15},
organization = {SecurityIntelligence},
url = {https://securityintelligence.com/trickbots-cryptocurrency-hunger-tricking-the-bitcoin-out-of-wallets/},
language = {English},
urldate = {2020-01-06}
}
TrickBot’s Cryptocurrency Hunger: Tricking the Bitcoin Out of Wallets
TrickBot |
2018-02-01 ⋅ Malware Traffic Analysis ⋅ Brad Duncan
@online{duncan:20180201:quick:320f855,
author = {Brad Duncan},
title = {{Quick Test Drive of Trickbot (It now has a Monero Module)}},
date = {2018-02-01},
organization = {Malware Traffic Analysis},
url = {http://www.malware-traffic-analysis.net/2018/02/01/},
language = {English},
urldate = {2019-07-09}
}
Quick Test Drive of Trickbot (It now has a Monero Module)
TrickBot |
2017-12-30 ⋅ Youtube (hasherezade) ⋅ hasherezade
@online{hasherezade:20171230:unpacking:5477bb2,
author = {hasherezade},
title = {{Unpacking TrickBot with PE-sieve}},
date = {2017-12-30},
organization = {Youtube (hasherezade)},
url = {https://www.youtube.com/watch?v=lTywPmZEU1A},
language = {English},
urldate = {2020-01-06}
}
Unpacking TrickBot with PE-sieve
TrickBot |
2017-12-19 ⋅ Vitali Kremez Blog ⋅ Vitali Kremez
@online{kremez:20171219:lets:030e09a,
author = {Vitali Kremez},
title = {{Let's Learn: Introducing New Trickbot LDAP "DomainGrabber" Module}},
date = {2017-12-19},
organization = {Vitali Kremez Blog},
url = {http://www.vkremez.com/2017/12/lets-learn-introducing-new-trickbot.html},
language = {English},
urldate = {2019-11-23}
}
Let's Learn: Introducing New Trickbot LDAP "DomainGrabber" Module
TrickBot |
2017-11-22 ⋅ Flashpoint ⋅ Vitali Kremez
@online{kremez:20171122:trickbot:faea11e,
author = {Vitali Kremez},
title = {{Trickbot Gang Evolves, Incorporates Account Checking Into Hybrid Attack Model}},
date = {2017-11-22},
organization = {Flashpoint},
url = {https://www.flashpoint-intel.com/blog/trickbot-account-checking-hybrid-attack-model/},
language = {English},
urldate = {2019-12-10}
}
Trickbot Gang Evolves, Incorporates Account Checking Into Hybrid Attack Model
TrickBot |
2017-11-21 ⋅ Vitali Kremez
@online{kremez:20171121:lets:5fb17b0,
author = {Vitali Kremez},
title = {{Let's Learn: Trickbot Socks5 Backconnect Module In Detail}},
date = {2017-11-21},
url = {http://www.vkremez.com/2017/11/lets-learn-trickbot-socks5-backconnect.html},
language = {English},
urldate = {2019-11-22}
}
Let's Learn: Trickbot Socks5 Backconnect Module In Detail
TrickBot |
2017-10-06 ⋅ Blueliv ⋅ Blueliv
@online{blueliv:20171006:trickbot:a2a9ac8,
author = {Blueliv},
title = {{TrickBot banking trojan using EFLAGS as an anti-hook technique}},
date = {2017-10-06},
organization = {Blueliv},
url = {https://www.blueliv.com/research/trickbot-banking-trojan-using-eflags-as-an-anti-hook-technique/},
language = {English},
urldate = {2020-01-08}
}
TrickBot banking trojan using EFLAGS as an anti-hook technique
TrickBot |
2017-08-01 ⋅ Malwarebytes ⋅ Malwarebytes Labs
@online{labs:20170801:trickbot:222d8bc,
author = {Malwarebytes Labs},
title = {{TrickBot comes up with new tricks: attacking Outlook and browsing data}},
date = {2017-08-01},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/},
language = {English},
urldate = {2019-12-20}
}
TrickBot comes up with new tricks: attacking Outlook and browsing data
TrickBot |
2017-07-27 ⋅ Flashpoint ⋅ Flashpoint
@online{flashpoint:20170727:new:bb5c883,
author = {Flashpoint},
title = {{New Version of “Trickbot” Adds Worm Propagation Module}},
date = {2017-07-27},
organization = {Flashpoint},
url = {https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/},
language = {English},
urldate = {2020-01-13}
}
New Version of “Trickbot” Adds Worm Propagation Module
TrickBot |
2017-07 ⋅ Ring Zero Labs ⋅ Ring Zero Labs
@online{labs:201707:trickbot:e738eaf,
author = {Ring Zero Labs},
title = {{TrickBot Banking Trojan - DOC00039217.doc}},
date = {2017-07},
organization = {Ring Zero Labs},
url = {https://www.ringzerolabs.com/2017/07/trickbot-banking-trojan-doc00039217doc.html},
language = {English},
urldate = {2020-01-10}
}
TrickBot Banking Trojan - DOC00039217.doc
TrickBot |
2017-06-15 ⋅ F5 ⋅ Sara Boddy, Jesse Smith, Doron Voolf
@online{boddy:20170615:trickbot:6eb1db4,
author = {Sara Boddy and Jesse Smith and Doron Voolf},
title = {{Trickbot Expands Global Targets Beyond Banks and Payment Processors to CRMs}},
date = {2017-06-15},
organization = {F5},
url = {https://f5.com/labs/articles/threat-intelligence/malware/trickbot-expands-global-targets-beyond-banks-and-payment-processors-to-crms},
language = {English},
urldate = {2019-12-24}
}
Trickbot Expands Global Targets Beyond Banks and Payment Processors to CRMs
TrickBot |
2017-06-12 ⋅ Security Art Work ⋅ Marc Salinas, JoséMiguel Holguín
@techreport{salinas:20170612:evolucin:9930231,
author = {Marc Salinas and JoséMiguel Holguín},
title = {{Evolución de Trickbot}},
date = {2017-06-12},
institution = {Security Art Work},
url = {https://www.securityartwork.es/wp-content/uploads/2017/06/Informe_Evoluci%C3%B3n_Trickbot.pdf},
language = {Spanish},
urldate = {2020-01-10}
}
Evolución de Trickbot
TrickBot |
2017-05-26 ⋅ PWC ⋅ PWC
@online{pwc:20170526:trickbots:c1b84e1,
author = {PWC},
title = {{TrickBot’s bag of tricks}},
date = {2017-05-26},
organization = {PWC},
url = {http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/trickbots-bag-of-tricks.html},
language = {English},
urldate = {2020-01-09}
}
TrickBot’s bag of tricks
TrickBot |
2017-05-04 ⋅ Forbes ⋅ Thomas Brewster
@online{brewster:20170504:behind:4da1ded,
author = {Thomas Brewster},
title = {{Behind The Mystery Of Russia's 'Dyre' Hackers Who Stole Millions From American Business}},
date = {2017-05-04},
organization = {Forbes},
url = {https://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates},
language = {English},
urldate = {2020-01-09}
}
Behind The Mystery Of Russia's 'Dyre' Hackers Who Stole Millions From American Business
Dyre |
2017-03-01 ⋅ FraudWatch International ⋅ FraudWatch International
@online{international:20170301:how:fb75ef9,
author = {FraudWatch International},
title = {{How Does the Trickbot Malware Work?}},
date = {2017-03-01},
organization = {FraudWatch International},
url = {https://blog.fraudwatchinternational.com/malware/trickbot-malware-works},
language = {English},
urldate = {2020-01-08}
}
How Does the Trickbot Malware Work?
TrickBot |
2016-12-07 ⋅ Botconf ⋅ Joshua Adams
@techreport{adams:20161207:trickbot:fc3427c,
author = {Joshua Adams},
title = {{The TrickBot Evolution}},
date = {2016-12-07},
institution = {Botconf},
url = {https://www.botconf.eu/wp-content/uploads/2016/11/2016-LT09-TrickBot-Adams.pdf},
language = {English},
urldate = {2020-01-09}
}
The TrickBot Evolution
TrickBot |
2016-12-06 ⋅ Fortinet ⋅ Xiaopeng Zhang
@online{zhang:20161206:deep:1f1521f,
author = {Xiaopeng Zhang},
title = {{Deep Analysis of the Online Banking Botnet TrickBot}},
date = {2016-12-06},
organization = {Fortinet},
url = {http://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot},
language = {English},
urldate = {2020-01-08}
}
Deep Analysis of the Online Banking Botnet TrickBot
TrickBot |
2016-11-09 ⋅ Lior Keshet
@online{keshet:20161109:tricks:c3ab510,
author = {Lior Keshet},
title = {{Tricks of the Trade: A Deeper Look Into TrickBot’s Machinations}},
date = {2016-11-09},
url = {https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/},
language = {English},
urldate = {2019-10-17}
}
Tricks of the Trade: A Deeper Look Into TrickBot’s Machinations
TrickBot |
2016-11-07 ⋅ F5 Labs ⋅ Julia Karpin, Shaul Vilkomir-Preisman, Anna Dorfman
@online{karpin:20161107:little:598f939,
author = {Julia Karpin and Shaul Vilkomir-Preisman and Anna Dorfman},
title = {{Little Trickbot Growing Up: New Campaign}},
date = {2016-11-07},
organization = {F5 Labs},
url = {https://f5.com/labs/articles/threat-intelligence/malware/little-trickbot-growing-up-new-campaign-24412},
language = {English},
urldate = {2020-01-06}
}
Little Trickbot Growing Up: New Campaign
TrickBot |
2016-10-25 ⋅ NetScout ⋅ ASERT Team
@online{team:20161025:trickbot:dd465d9,
author = {ASERT Team},
title = {{TrickBot Banker Insights}},
date = {2016-10-25},
organization = {NetScout},
url = {https://www.arbornetworks.com/blog/asert/trickbot-banker-insights/},
language = {English},
urldate = {2019-07-11}
}
TrickBot Banker Insights
TrickBot |
2016-10-24 ⋅ Malwarebytes ⋅ Malwarebytes Labs
@online{labs:20161024:introducing:e59ac27,
author = {Malwarebytes Labs},
title = {{Introducing TrickBot, Dyreza’s successor}},
date = {2016-10-24},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/},
language = {English},
urldate = {2019-12-20}
}
Introducing TrickBot, Dyreza’s successor
TrickBot |
2016-10-15 ⋅ Fidelis Cybersecurity ⋅ Threat Research Team
@online{team:20161015:trickbot:cc9f48f,
author = {Threat Research Team},
title = {{TrickBot: We Missed you, Dyre}},
date = {2016-10-15},
organization = {Fidelis Cybersecurity},
url = {https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre},
language = {English},
urldate = {2019-11-28}
}
TrickBot: We Missed you, Dyre
TrickBot |
2015-11-04 ⋅ Malwarebytes ⋅ hasherezade
@online{hasherezade:20151104:technical:abd2b27,
author = {hasherezade},
title = {{A Technical Look At Dyreza}},
date = {2015-11-04},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/},
language = {English},
urldate = {2019-12-20}
}
A Technical Look At Dyreza
Dyre |
2015-10-26 ⋅ Blueliv ⋅ Blueliv
@techreport{blueliv:20151026:chasing:975ef1a,
author = {Blueliv},
title = {{Chasing cybercrime: network insights of Dyre and Dridex Trojan bankers}},
date = {2015-10-26},
institution = {Blueliv},
url = {https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf},
language = {English},
urldate = {2020-01-13}
}
Chasing cybercrime: network insights of Dyre and Dridex Trojan bankers
Dridex Dyre |