ETDA ThaiCERT
Report
Search
Home > List all groups > Wizard Spider, Gold Blackburn

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Other threat group: Wizard Spider, Gold Blackburn

NamesWizard Spider (CrowdStrike)
Grim Spider (CrowdStrike)
TEMP.MixMaster (FireEye)
Gold Blackburn (SecureWorks)
CountryRussia Russia
MotivationFinancial crime
First seen2014
DescriptionWizard Spider is reportedly associated with Lunar Spider.

(Crowdstrike) The Wizard Spider threat group is the Russia-based operator of the TrickBot banking malware. This group represents a growing criminal enterprise of which Grim Spider appears to be a subset. The Lunar Spider threat group is the Eastern European-based operator and developer of the commodity banking malware called BokBot (aka IcedID), which was first observed in April 2017. The BokBot malware provides Lunar Spider affiliates with a variety of capabilities to enable credential theft and wire fraud, through the use of webinjects and a malware distribution function.

Dyre has been observed to be distributed by Cutwail (operated by Narwhal Spider), as well as their own botnets Gophe and Upatre.

TrickBot has been observed to be distributed via Emotet (operated by Mummy Spider, TA542), BokBot (operated by Lunar Spider), Smoke Loader (operated by Smoky Spider), DanaBot (operated by Scully Spider, TA547), Kelihos (operated by Zombie Spider), Necurs (operated by Monty Spider) and Taurus Loader (operated by Venom Spider, Golden Chickens), as well as their own botnet Gophe.
ObservedSectors: Defense, Financial, Government, Healthcare, Telecommunications.
Countries: Worldwide.
Tools usedAdFind, Anchor, BazarBackdoor, BloodHound, Cobalt Strike, Conti, Dyre, Gophe, Invoke-SMBAutoBrute, LaZagne, PowerSploit, PowerTrick, Ryuk, SessionGopher, TrickBot, TrickMo, Upatre.
Operations performedApr 2019Cybercriminals Spoof Major Accounting and Payroll Firms in Tax Season Malware Campaigns
<https://securityintelligence.com/cybercriminals-spoof-major-accounting-and-payroll-firms-in-tax-season-malware-campaigns/>
Jun 2019During June and July, F5 researchers first noticed Trickbot campaigns aimed at a smaller set of geographically oriented targets and did not use redirection attacks—a divergence from previous Trickbot characteristics.
<https://www.f5.com/labs/articles/threat-intelligence/tricky-trickbot-runs-campaigns-without-redirection>
Aug 2019In a recent analysis in our cybercrime research labs, we noticed changes in the deployment of the TrickBot Trojan. At the time, the change we observed only applied to infection attempts on Windows 10 64-bit operating systems (OSs). In those cases, TrickBot ran the payload, but did not save its typical modules and configurations to disk.
<https://securityintelligence.com/posts/the-curious-case-of-a-fileless-trickbot-infection/>
Oct 2019Computers at the DCH Regional Medical Center in Tuscaloosa, Fayette Medical Center and Northport Medical Center were infected with ransomware.
<https://www.bbc.com/news/technology-49905226>
Oct 2019Shipping giant Pitney Bowes hit by ransomware
<https://techcrunch.com/2019/10/14/pitney-bowes-ransomware-attack/>
Nov 2019Louisiana was hit by Ryuk, triggering another cyber-emergency
<https://arstechnica.com/information-technology/2019/11/louisiana-was-hit-by-ryuk-triggering-another-cyber-emergency/>
Dec 2019TrickBot Widens Infection Campaigns in Japan Ahead of Holiday Season
<https://securityintelligence.com/posts/trickbot-widens-infection-campaigns-in-japan-ahead-of-holiday-season/>
Dec 2019The Deadly Planeswalker: How The TrickBot Group United High-Tech Crimeware & APT
<https://labs.sentinelone.com/the-deadly-planeswalker-how-the-trickbot-group-united-high-tech-crimeware-apt/>
Dec 2019The cyberattack that took down public-access computers at Volusia County, Fla., libraries last month involved ransomware that has elicited millions of dollars in ransom payments from governments and large businesses.
<https://www.govtech.com/security/Ryuk-Ransomware-behind-Attack-on-Florida-Library-System.html>
Dec 2019New Orleans latest apparent victim of Ryuk ransomware
<https://statescoop.com/new-orleans-latest-apparent-victim-of-ryuk-ransomware/>
Dec 2019An infection with the Ryuk ransomware took down a maritime facility for more than 30 hours; the US Coast Guard said in a security bulletin it published before Christmas.
<https://www.zdnet.com/article/us-coast-guard-discloses-ryuk-ransomware-infection-at-maritime-facility/>
Dec 2019Suspected Ryuk ransomware attack locks down Adelaide's City of Onkaparinga council
<https://www.abc.net.au/news/2020-01-06/city-of-onkaparinga-hit-by-ryuk-ransomware/11843598>
Jan 2020On the heels of a Ryuk ransomware attack on the Tampa Bay Times, researchers reported a new variant of the Ryuk stealer being aimed at government, financial and law enforcement targets.
<https://www.scmagazine.com/home/security-news/tampa-bay-times-hit-by-ryuk-new-variant-of-stealer-aimed-at-govt-finance/>
Jan 2020Electronic Warfare Associates (EWA), a 40-year-old electronics company and a well-known US government contractor, has suffered a ransomware infection, ZDNet has learned.
<https://www.zdnet.com/article/dod-contractor-suffers-ransomware-infection/>
Jan 2020Top-Tier Russian Organized Cybercrime Group Unveils Fileless Stealthy “PowerTrick” Backdoor for High-Value Targets
<https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/>
Feb 2020Ryuk Ransomware Campaign Targets Port Lavaca City Hall
<https://www.cisomag.com/ryuk-ransomware-campaign-targets-port-lavaca-city-hall/>
Feb 2020EMCOR Group, a US-based Fortune 500 company specialized in engineering and industrial construction services, disclosed last month a ransomware incident that took down some of its IT systems.
<https://www.zdnet.com/article/ryuk-ransomware-hits-fortune-500-company-emcor/>
Feb 2020Epiq Global, an international e-discovery and managed services company, has taken its systems offline globally after detecting unauthorized activity.
<https://www.lawsitesblog.com/2020/03/epiq-global-down-as-company-investigates-unauthorized-activity-on-systems.html>
Mar 2020Trickbot campaign targets Coronavirus fears in Italy
<https://news.sophos.com/en-us/2020/03/04/trickbot-campaign-targets-coronavirus-fears-in-italy/>
Mar 2020EVRAZ, one of the world's largest steel manufacturers and mining operations, has been hit by ransomware, a source inside the company told ZDNet today.
<https://www.zdnet.com/article/one-of-roman-abramovichs-companies-got-hit-by-ransomware/>
Mar 2020The City of Durham, North Carolina has shut down its network after suffering a cyberattack by the Ryuk Ransomware this weekend.
<https://www.bleepingcomputer.com/news/security/ryuk-ransomware-behind-durham-north-carolina-cyberattack/>
Mar 2020New Variant of TrickBot Being Spread by Word Document
<https://www.fortinet.com/blog/threat-research/new-variant-of-trickbot-being-spread-by-word-document.html>
Mar 2020New TrickBot Module Bruteforces RDP Connections, Targets Select Telecommunication Services in US and Hong Kong
<https://labs.bitdefender.com/2020/03/new-trickbot-module-bruteforces-rdp-connections-targets-select-telecommunication-services-in-us-and-hong-kong/>
Mar 2020TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany
<https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/>
Apr 2020BazarBackdoor: TrickBot gang’s new stealthy network-hacking malware
<https://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/>
Apr 2020TrickBot Campaigns Targeting Users via Department of Labor FMLA Spam
<https://securityintelligence.com/posts/trickbot-campaigns-targeting-users-via-department-of-labor-fmla-spam/>
Apr 2020As early as April 2020, TrickBot updated one of its propagation modules known as “mworm” to a new module called “nworm.” Infections caused through nworm leave no artifacts on an infected DC, and they disappear after a reboot or shutdown.
<https://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/>
Jul 2020The infamous TrickBot trojan has started to check the screen resolutions of victims to detect whether the malware is running in a virtual machine.
<https://www.bleepingcomputer.com/news/security/trickbot-malware-now-checks-screen-resolution-to-evade-analysis/>
Aug 2020University of Utah pays $457,000 to ransomware gang
<https://www.zdnet.com/article/university-of-utah-pays-457000-to-ransomware-gang/>
Aug 2020Conti (Ryuk) joins the ranks of ransomware gangs operating data leak sites
<https://www.zdnet.com/article/conti-ryuk-joins-the-ranks-of-ransomware-gangs-operating-data-leak-sites/>
Sep 2020US Court Hit by “Conti” Ransomware
<https://www.cbronline.com/news/conti-ransomware-court>
Sep 2020Universal Health Services (UHS), a Fortune 500 hospital and healthcare services provider, has reportedly shut down systems at healthcare facilities around the US after a cyber-attack that hit its network during early Sunday morning.
<https://www.bleepingcomputer.com/news/security/uhs-hospitals-hit-by-reported-country-wide-ryuk-ransomware-attack/>
Counter operationsNov 2015Russia’s FSB quietly led an operation to take down the world’s most active cybercriminal groups, the operators of the banking malware Dyre
<https://www.forbes.com/sites/thomasbrewster/2016/02/08/russia-arrests-dyre-malware-masterminds/>
Sep 2020In recent weeks, the U.S. military has mounted an operation to temporarily disrupt what is described as the world’s largest botnet — one used also to drop ransomware, which officials say is one of the top threats to the 2020 election.
<https://www.washingtonpost.com/national-security/cyber-command-trickbot-disrupt/2020/10/09/19587aae-0a32-11eb-a166-dc429b380d10_story.html>
Oct 2020We disrupted Trickbot through a court order we obtained as well as technical action we executed in partnership with telecommunications providers around the world. We have now cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems.
<https://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/>
Information<https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/>
<https://www.crowdstrike.com/blog/wizard-spider-lunar-spider-shared-proxy-module/>
<https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/>
<https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html>
<https://blog.malwarebytes.com/threat-spotlight/2019/12/threat-spotlight-the-curious-case-of-ryuk-ransomware/>

Last change to this card: 19 October 2020

Download this actor card in PDF or JSON format

Previous: Venom Spider, Golden Chickens
Next: Yingmob

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key