← All Threat Actors
Threat Actor Profile

WIZARD SPIDER

DEV-0193 DEV-0237 FIN12 G0102 GOLD BLACKBURN Grim Spider ITG23 Periwinkle Tempest Pistachio Tempest Storm-0193 Storm-0230 TEMP.MixMaster Trickbot LLC UNC1878 UNC2053
▲ High Threat
Wizard Spider is reportedly associated with Grim Spider and Lunar Spider. The WIZARD SPIDER threat group is the Russia-based operator of the TrickBot banking malware. This group represents a growing criminal enterprise of which GRIM SPIDER appears to be a subset. The LUNAR SPIDER threat group is the Eastern European-based operator and developer of the commodity banking malware called BokBot (aka IcedID), which was first observed in April 2017. The BokBot malware provides LUNAR SPIDER affiliates with a variety of capabilities to enable credential theft and wire fraud, through the use of webinjects and a malware distribution function. GRIM SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return. This methodology, known as “big game hunting,” signals a shift in operations for WIZARD SPIDER, a criminal enterprise of which GRIM SPIDER appears to be a cell. The WIZARD SPIDER threat group, known as the Russia-based operator of the TrickBot banking malware, had focused primarily on wire fraud in the past.
Origin Russia
Sponsor Russian Federation

Target Sectors

Defense Financial Government Healthcare Telecommunications

Known TTPs

Local Account
Code Signing Certificates
Exploitation of Remote Services
Archive via Utility
Windows Command Shell
Windows Management Instrumentation
Tool
Windows Service
SMB/Windows Admin Shares
Data Staged
Domain Accounts
Process Injection
Remote Services
Remote Desktop Protocol
Pass the Hash
Windows Permissions
Lateral Tool Transfer
Malicious File
Scheduled Task
Command Obfuscation
File Deletion
Group Policy Preferences
Exfiltration Over Unencrypted Non-C2 Protocol
Disable or Modify Tools
Security Software Discovery
Rundll32
Kerberoasting
PowerShell
Exfiltration to Cloud Storage
Modify Registry
Inhibit System Recovery
External Remote Services
Winlogon Helper DLL
Masquerade Task or Service
Domain Account
Backup Software Discovery
Web Protocols
Code Signing
Domain Account
Local Data Staging
Name Resolution Poisoning and SMB Relay
Ingress Tool Transfer
NTDS
System Network Configuration Discovery
Email Accounts
System Owner/User Discovery
Valid Accounts
Malicious Link
LSASS Memory
Exfiltration Over C2 Channel
Spearphishing Attachment
Security Account Manager
Service Stop
Spearphishing Link
Remote System Discovery
Data from Local System
System Information Discovery
Windows Credential Manager
Network Share Discovery
Service Execution
Registry Run Keys / Startup Folder
Windows Remote Management
Dynamic-link Library Injection
BITS Jobs

External Resources

CISA Advisories ↗

Related Intelligence

Hacking the mainframe…

LINK COPIED TO CLIPBOARD