WIZARD SPIDER  (Back to overview)


Wizard Spider is reportedly associated with Grim Spider and Lunar Spider. The WIZARD SPIDER threat group is the Russia-based operator of the TrickBot banking malware. This group represents a growing criminal enterprise of which GRIM SPIDER appears to be a subset. The LUNAR SPIDER threat group is the Eastern European-based operator and developer of the commodity banking malware called BokBot (aka IcedID), which was first observed in April 2017. The BokBot malware provides LUNAR SPIDER affiliates with a variety of capabilities to enable credential theft and wire fraud, through the use of webinjects and a malware distribution function. GRIM SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return. This methodology, known as “big game hunting,” signals a shift in operations for WIZARD SPIDER, a criminal enterprise of which GRIM SPIDER appears to be a cell. The WIZARD SPIDER threat group, known as the Russia-based operator of the TrickBot banking malware, had focused primarily on wire fraud in the past.


Associated Families
win.dyre win.trickbot

References
1 http://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot
1 http://www.malware-traffic-analysis.net/2018/02/01/
1 http://www.peppermalware.com/2019/03/quick-analysis-of-trickbot-sample-with.html
1 http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/trickbots-bag-of-tricks.html
1 http://www.vkremez.com/2017/11/lets-learn-trickbot-socks5-backconnect.html
1 http://www.vkremez.com/2017/12/lets-learn-introducing-new-trickbot.html
1 http://www.vkremez.com/2018/04/lets-learn-trickbot-implements-network.html
1 https://blog.fraudwatchinternational.com/malware/trickbot-malware-works
1 https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/
1 https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/
1 https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/
1 https://blog.malwarebytes.com/threat-analysis/malware-threat-analysis/2018/11/whats-new-trickbot-deobfuscating-elements/
1 https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html
1 https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/
1 https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-shows-off-new-trick-password-grabber-module
1 https://blogs.forcepoint.com/security-labs/trickbot-spread-necurs-botnet-adds-nordic-countries-its-targets
1 https://escinsecurity.blogspot.de/2018/01/weekly-trickbot-analysis-end-of-wc-22.html
1 https://f5.com/labs/articles/threat-intelligence/malware/little-trickbot-growing-up-new-campaign-24412
1 https://f5.com/labs/articles/threat-intelligence/malware/trickbot-expands-global-targets-beyond-banks-and-payment-processors-to-crms
1 https://github.com/JR0driguezB/malware_configs/tree/master/TrickBot
1 https://inquest.net/blog/2019/08/26/TrickBot-Memory-Analysis
1 https://qmemcpy.github.io/post/reverse-engineering-malware-trickbot-part-1-packer
1 https://qmemcpy.io/post/reverse-engineering-malware-trickbot-part-2-loader
1 https://qmemcpy.io/post/reverse-engineering-malware-trickbot-part-3-core
1 https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/
1 https://securityintelligence.com/trickbot-takes-to-latin-america-continues-to-expand-its-global-reach/
1 https://securityintelligence.com/trickbots-cryptocurrency-hunger-tricking-the-bitcoin-out-of-wallets/
1 https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/
1 https://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html
1 https://technical.nttsecurity.com/post/102fnog/targeted-trickbot-activity-drops-powerbrace-backdoor
1 https://www.arbornetworks.com/blog/asert/trickbot-banker-insights/
1 https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf
1 https://www.blueliv.com/research/trickbot-banking-trojan-using-eflags-as-an-anti-hook-technique/
1 https://www.botconf.eu/wp-content/uploads/2016/11/2016-LT09-TrickBot-Adams.pdf
1 https://www.cert.pl/en/news/single/detricking-trickbot-loader/
https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/
2 https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/
https://www.crowdstrike.com/blog/wizard-spider-lunar-spider-shared-proxy-module/
1 https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/
1 https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware
1 https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre
1 https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html
1 https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/
1 https://www.flashpoint-intel.com/blog/trickbot-account-checking-hybrid-attack-model/
1 https://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates
1 https://www.fortinet.com/blog/threat-research/deep-analysis-of-trickbot-new-module-pwgrab.html
1 https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes
1 https://www.ringzerolabs.com/2017/07/trickbot-banking-trojan-doc00039217doc.html
1 https://www.secdata.com/the-trickbot-and-mikrotik/
1 https://www.secureworks.com/blog/trickbot-modifications-target-us-mobile-users
1 https://www.securityartwork.es/wp-content/uploads/2017/06/Informe_Evoluci%C3%B3n_Trickbot.pdf
1 https://www.slideshare.net/proidea_conferences/inside-cybercrime-groups-harvesting-active-directory-for-fun-and-profit-vitali-kremez
1 https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/
1 https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/evolving-trickbot-adds-detection-evasion-and-screen-locking-features
1 https://www.trustwave.com/Resources/SpiderLabs-Blog/Tale-of-the-Two-Payloads-%E2%80%93-TrickBot-and-Nitol/
1 https://www.vkremez.com/2018/11/lets-learn-introducing-latest-trickbot.html
1 https://www.webroot.com/blog/2018/03/21/trickbot-banking-trojan-adapts-new-module/
1 https://www.youtube.com/watch?v=EdchPEHnohw
1 https://www.youtube.com/watch?v=KMcSAlS9zGE
1 https://www.youtube.com/watch?v=lTywPmZEU1A

Credits: MISP Project