← threatfilter.dev / all groups / Wizard Spider
Wizard Spider
Also known as: UNC1878 · TEMP.MixMaster · Grim Spider · FIN12 · GOLD BLACKBURN · ITG23 · Periwinkle Tempest · DEV-0193 · Pistachio Tempest · DEV-0237
Overview
Wizard Spider is a Russia-based financially motivated threat group originally known for the creation and deployment of TrickBot since at least 2016. Wizard Spider possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.
Targets
Defense · Finance · Government · Healthcare · Telecommunications
Regions
Australia · Bahamas · Canada · Costa Rica · France · Germany · India · Ireland · Italy · Japan · Mexico · New Zealand · Spain · Switzerland · Taiwan · Ukraine · United Kingdom · United States
Capabilities
- Custom malware/implant development — ATT&CK: 11 attributed custom malware families
TTPs — 64 techniques across 13 tactics
Resource Development
-
T1585.002Email Accounts -
T1588.002Tool -
T1588.003Code Signing Certificates
Initial Access
-
T1566.001Spearphishing Attachment -
T1566.002Spearphishing Link
Execution
-
T1047Windows Management Instrumentation -
T1053.005Scheduled Task -
T1059.001PowerShell -
T1059.003Windows Command Shell -
T1204.001Malicious Link -
T1204.002Malicious File -
T1569.002Service Execution
Persistence
-
T1133External Remote Services -
T1136.001Local Account -
T1136.002Domain Account -
T1543.003Windows Service -
T1547.001Registry Run Keys / Startup Folder -
T1547.004Winlogon Helper DLL
Stealth
-
T1027.010Command Obfuscation -
T1036.004Masquerade Task or Service -
T1055Process Injection -
T1055.001Dynamic-link Library Injection -
T1070.004File Deletion -
T1078Valid Accounts -
T1078.002Domain Accounts -
T1197BITS Jobs -
T1218.011Rundll32
Defense Impairment
-
T1112Modify Registry -
T1222.001Windows Permissions -
T1553.002Code Signing -
T1685Disable or Modify Tools
Credential Access
-
T1003.001LSASS Memory -
T1003.002Security Account Manager -
T1003.003NTDS -
T1552.006Group Policy Preferences -
T1555.004Windows Credential Manager -
T1557.001Name Resolution Poisoning and SMB Relay -
T1558.003Kerberoasting
Discovery
-
T1016System Network Configuration Discovery -
T1018Remote System Discovery -
T1033System Owner/User Discovery -
T1082System Information Discovery -
T1087.002Domain Account -
T1135Network Share Discovery -
T1518.001Security Software Discovery -
T1518.002Backup Software Discovery
Lateral Movement
-
T1021Remote Services -
T1021.001Remote Desktop Protocol -
T1021.002SMB/Windows Admin Shares -
T1021.006Windows Remote Management -
T1210Exploitation of Remote Services -
T1550.002Pass the Hash -
T1570Lateral Tool Transfer
Collection
-
T1005Data from Local System -
T1074Data Staged -
T1074.001Local Data Staging -
T1560.001Archive via Utility
Command and Control
-
T1071.001Web Protocols -
T1105Ingress Tool Transfer
Exfiltration
-
T1041Exfiltration Over C2 Channel -
T1048.003Exfiltration Over Unencrypted Non-C2 Protocol -
T1567.002Exfiltration to Cloud Storage
Impact
-
T1489Service Stop -
T1490Inhibit System Recovery
Tools & malware (22)
TrickBot · AdFind · BITSAdmin · SystemBC · BloodHound · Ping · Bazar · LaZagne · Nltest · GrimAgent · Dyre · Ryuk · Conti · Emotet · Rubeus · Mimikatz · Anchor · Diavol · Net · Empire · PsExec · Cobalt Strike
Reporting (3)
- Financially Motivated Threat Actor Pistachio Tempest — Microsoft
- How Microsoft names threat actors — Microsoft
- Gold Blackburn Threat Profile — Secureworks Counter Threat Unit