Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа Wizard Spider
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Wizard Spider
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Wizard Spider

Wizard Spider is a Russia-based financially motivated threat group originally known for the creation and deployment of TrickBot since at least 2016. Wizard Spider possesses a diverse aresenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)
ID: G0102
Associated Groups: Grim Spider, UNC1878, TEMP.MixMaster, ITG23, FIN12, Periwinkle Tempest, DEV-0193, GOLD BLACKBURN
Version: 4.0
Created: 12 May 2020
Last Modified: 03 Apr 2024

Associated Group Descriptions
Name Description
Grim Spider (Citation: CrowdStrike Ryuk January 2019)(Citation: CrowdStrike Grim Spider May 2019)
UNC1878 (Citation: FireEye KEGTAP SINGLEMALT October 2020)
TEMP.MixMaster (Citation: FireEye Ryuk and Trickbot January 2019)
ITG23 (Citation: IBM X-Force ITG23 Oct 2021)
FIN12 (Citation: Mandiant FIN12 Oct 2021)
Periwinkle Tempest (Citation: Microsoft Threat Actor Naming July 2023)
DEV-0193 (Citation: Microsoft Threat Actor Naming July 2023)
GOLD BLACKBURN (Citation: Secureworks Gold Blackburn Mar 2022)

Techniques Used
Domain ID Name Use
Enterprise T1087 .002 Account Discovery: Domain Account

Wizard Spider has identified domain admins through the use of `net group "Domain admins" /DOMAIN`. Wizard Spider has also leveraged the PowerShell cmdlet `Get-ADComputer` to collect account names from Active Directory data.(Citation: DFIR Ryuk's Return October 2020)(Citation: Mandiant FIN12 Oct 2021)
Enterprise T1557 .001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay

Wizard Spider has used the Invoke-Inveigh PowerShell cmdlets, likely for name service poisoning.(Citation: FireEye KEGTAP SINGLEMALT October 2020)
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Wizard Spider has used HTTP for network communications.(Citation: CrowdStrike Grim Spider May 2019)
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Wizard Spider has archived data into ZIP files on compromised machines.(Citation: Mandiant FIN12 Oct 2021)
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Wizard Spider has established persistence via the Registry key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and a shortcut within the startup folder.(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: FireEye KEGTAP SINGLEMALT October 2020)
.004 Boot or Logon Autostart Execution: Winlogon Helper DLL

Wizard Spider has established persistence using Userinit by adding the Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.(Citation: FireEye KEGTAP SINGLEMALT October 2020)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Wizard Spider has used macros to execute PowerShell scripts to download malware on victim's machines.(Citation: CrowdStrike Grim Spider May 2019) It has also used PowerShell to execute commands and move laterally through a victim network.(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: Mandiant FIN12 Oct 2021)
.003 Command and Scripting Interpreter: Windows Command Shell

Wizard Spider has used `cmd.exe` to execute commands on a victim's machine.(Citation: DFIR Ryuk's Return October 2020)(Citation: Mandiant FIN12 Oct 2021)

Enterprise T1136 .001 Create Account: Local Account

Wizard Spider has created local administrator accounts to maintain persistence in compromised networks.(Citation: Mandiant FIN12 Oct 2021)
.002 Create Account: Domain Account

Wizard Spider has created and used new accounts within a victim's Active Directory environment to maintain persistence.(Citation: Mandiant FIN12 Oct 2021)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Wizard Spider has installed TrickBot as a service named ControlServiceA in order to establish persistence.(Citation: CrowdStrike Grim Spider May 2019)(Citation: Mandiant FIN12 Oct 2021)

Enterprise T1555 .004 Credentials from Password Stores: Windows Credential Manager

Wizard Spider has used PowerShell cmdlet `Invoke-WCMDump` to enumerate Windows credentials in the Credential Manager in a compromised network.(Citation: Mandiant FIN12 Oct 2021)
Enterprise T1074 .001 Data Staged: Local Data Staging

Wizard Spider has staged ZIP files in local directories such as, `C:\PerfLogs\1\` and `C:\User\1\` prior to exfiltration.(Citation: Mandiant FIN12 Oct 2021)
Enterprise T1585 .002 Establish Accounts: Email Accounts

Wizard Spider has leveraged ProtonMail email addresses in ransom notes when delivering Ryuk ransomware.(Citation: Mandiant FIN12 Oct 2021)
Enterprise T1048 .003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

Wizard Spider has exfiltrated victim information using FTP.(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)
Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Wizard Spider has exfiltrated stolen victim data to various cloud storage providers.(Citation: Mandiant FIN12 Oct 2021)

Enterprise T1222 .001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Wizard Spider has used the icacls command to modify access control to backup servers, providing them with full control of all the system folders.(Citation: Sophos New Ryuk Attack October 2020)
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Wizard Spider has shut down or uninstalled security applications on victim systems that might prevent ransomware from executing.(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DFIR Ryuk's Return October 2020)(Citation: Mandiant FIN12 Oct 2021)
Enterprise T1070 .004 Indicator Removal: File Deletion

Wizard Spider has used file deletion to remove some modules and configurations from an infected host after use.(Citation: CrowdStrike Grim Spider May 2019)
Enterprise T1036 .004 Masquerading: Masquerade Task or Service

Wizard Spider has used scheduled tasks to install TrickBot, using task names to appear legitimate such as WinDotNet, GoogleTask, or Sysnetsf.(Citation: CrowdStrike Grim Spider May 2019) It has also used common document file names for other malware binaries.(Citation: FireEye KEGTAP SINGLEMALT October 2020)
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Wizard Spider has dumped the lsass.exe memory to harvest credentials with the use of open-source tool LaZagne.(Citation: Mandiant FIN12 Oct 2021)
.002 OS Credential Dumping: Security Account Manager

Wizard Spider has acquired credentials from the SAM/SECURITY registry hives.(Citation: FireEye KEGTAP SINGLEMALT October 2020)

.003 OS Credential Dumping: NTDS

Wizard Spider has gained access to credentials via exported copies of the ntds.dit Active Directory database. Wizard Spider has also created a volume shadow copy and used a batch script file to collect NTDS.dit with the use of the Windows utility, ntdsutil.(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: Mandiant FIN12 Oct 2021)

Enterprise T1027 .010 Obfuscated Files or Information: Command Obfuscation

Wizard Spider used Base64 encoding to obfuscate an Empire service and PowerShell commands.(Citation: FireEye Ryuk and Trickbot January 2019)(Citation: DFIR Ryuk's Return October 2020)
Enterprise T1588 .002 Obtain Capabilities: Tool

Wizard Spider has utilized tools such as Empire, Cobalt Strike, Cobalt Strike, Rubeus, AdFind, BloodHound, Metasploit, Advanced IP Scanner, Nirsoft PingInfoView, and SoftPerfect Network Scanner for targeting efforts.(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: Mandiant FIN12 Oct 2021)
.003 Obtain Capabilities: Code Signing Certificates

Wizard Spider has obtained code signing certificates signed by DigiCert, GlobalSign, and COMOOD for malware payloads.(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)(Citation: Mandiant FIN12 Oct 2021)

Enterprise T1069 .002 Permission Groups Discovery: Domain Groups

Wizard Spider has used AdFind.exe to collect information about Active Directory groups and accounts.(Citation: FireEye Ryuk and Trickbot January 2019)(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)(Citation: Red Canary Hospital Thwarted Ryuk October 2020)
Enterprise T1566 .001 Phishing: Spearphishing Attachment

Wizard Spider has used spearphishing attachments to deliver Microsoft documents containing macros or PDFs containing malicious links to download either Emotet, Bokbot, TrickBot, or Bazar.(Citation: CrowdStrike Grim Spider May 2019)(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: Mandiant FIN12 Oct 2021)
.002 Phishing: Spearphishing Link

Wizard Spider has sent phishing emails containing a link to an actor-controlled Google Drive document or other free online file hosting services.(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

Wizard Spider has injected malicious DLLs into memory with read, write, and execute permissions.(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)
Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Wizard Spider has used RDP for lateral movement and to deploy ransomware interactively.(Citation: CrowdStrike Grim Spider May 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)(Citation: Mandiant FIN12 Oct 2021)
.002 Remote Services: SMB/Windows Admin Shares

Wizard Spider has used SMB to drop Cobalt Strike Beacon on a domain controller for lateral movement.(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)(Citation: DFIR Ryuk's Return October 2020)

.006 Remote Services: Windows Remote Management

Wizard Spider has used Window Remote Management to move laterally through a victim network.(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Wizard Spider has used scheduled tasks to establish persistence for TrickBot and other malware.(Citation: CrowdStrike Grim Spider May 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)(Citation: Mandiant FIN12 Oct 2021)
Enterprise T1518 .001 Software Discovery: Security Software Discovery

Wizard Spider has used WMI to identify anti-virus products installed on a victim's machine.(Citation: DFIR Ryuk's Return October 2020)
Enterprise T1558 .003 Steal or Forge Kerberos Tickets: Kerberoasting

Wizard Spider has used Rubeus, MimiKatz Kerberos module, and the Invoke-Kerberoast cmdlet to steal AES hashes.(Citation: DFIR Ryuk's Return October 2020)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)(Citation: Mandiant FIN12 Oct 2021)
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Wizard Spider has used Digicert code-signing certificates for some of its malware.(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)
Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

Wizard Spider has utilized `rundll32.exe` to deploy ransomware commands with the use of WebDAV.(Citation: Mandiant FIN12 Oct 2021)
Enterprise T1569 .002 System Services: Service Execution

Wizard Spider has used `services.exe` to execute scripts and executables during lateral movement within a victim's network. Wizard Spider has also used batch scripts that leverage PsExec to execute a previously transferred ransomware payload on a victim's network.(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk in 5 Hours October 2020)(Citation: Mandiant FIN12 Oct 2021)
Enterprise T1552 .006 Unsecured Credentials: Group Policy Preferences

Wizard Spider has used PowerShell cmdlets `Get-GPPPassword` and `Find-GPOPassword` to find unsecured credentials in a compromised network group policy.(Citation: Mandiant FIN12 Oct 2021)
Enterprise T1550 .002 Use Alternate Authentication Material: Pass the Hash

Wizard Spider has used the `Invoke-SMBExec` PowerShell cmdlet to execute the pass-the-hash technique and utilized stolen password hashes to move laterally.(Citation: Mandiant FIN12 Oct 2021)
Enterprise T1204 .001 User Execution: Malicious Link

Wizard Spider has lured victims into clicking a malicious link delivered through spearphishing.(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)
.002 User Execution: Malicious File

Wizard Spider has lured victims to execute malware with spearphishing attachments containing macros to download either Emotet, Bokbot, TrickBot, or Bazar.(Citation: CrowdStrike Grim Spider May 2019)(Citation: CrowdStrike Wizard Spider October 2020)(Citation: Mandiant FIN12 Oct 2021)

Enterprise T1078 .002 Valid Accounts: Domain Accounts

Wizard Spider has used administrative accounts, including Domain Admin, to move laterally within a victim network.(Citation: FireEye KEGTAP SINGLEMALT October 2020)

Software
ID Name References Techniques
S0266 TrickBot (Citation: CrowdStrike Grim Spider May 2019) (Citation: CrowdStrike Wizard Spider October 2020) (Citation: DHS/CISA Ransomware Targeting Healthcare October 2020) (Citation: Fidelis TrickBot Oct 2016) (Citation: IBM TrickBot Nov 2016) (Citation: Mandiant FIN12 Oct 2021) (Citation: Microsoft Ransomware as a Service) (Citation: Microsoft Totbrick Oct 2017) (Citation: S2 Grupo TrickBot June 2017) (Citation: Sophos New Ryuk Attack October 2020) (Citation: Totbrick) (Citation: Trend Micro Totbrick Oct 2016) (Citation: TrendMicro Trickbot Feb 2019) (Citation: TSPY_TRICKLOAD) System Information Discovery, System Owner/User Discovery, Component Object Model, Scheduled Task, Uncommonly Used Port, Bootkit, Browser Session Hijacking, Native API, PowerShell, Exfiltration Over C2 Channel, Fallback Channels, VNC, Obfuscated Files or Information, Windows Service, Software Packing, Credentials In Files, Malicious File, Symmetric Cryptography, Local Account, Network Share Discovery, Standard Encoding, Spearphishing Link, Data from Local System, Disable or Modify Tools, Permission Groups Discovery, Credentials in Registry, Process Discovery, Email Account, Time Based Evasion, Remote Access Software, Windows Command Shell, Masquerading, Firmware Corruption, Deobfuscate/Decode Files or Information, Remote System Discovery, Non-Standard Port, Password Managers, Modify Registry, Code Signing, Credential Stuffing, File and Directory Discovery, Credential API Hooking, System Service Discovery, Ingress Tool Transfer, Process Injection, Commonly Used Port, External Proxy, Process Hollowing, Exploitation of Remote Services, Hidden Window, Registry Run Keys / Startup Folder, Web Protocols, Encrypted/Encoded File, Credentials from Web Browsers, Domain Trust Discovery, System Network Configuration Discovery, Spearphishing Attachment
S0039 Net (Citation: CrowdStrike Ryuk January 2019) (Citation: DFIR Ryuk 2 Hour Speed Run November 2020) (Citation: DFIR Ryuk in 5 Hours October 2020) (Citation: DFIR Ryuk's Return October 2020) (Citation: FireEye KEGTAP SINGLEMALT October 2020) (Citation: Mandiant FIN12 Oct 2021) (Citation: Microsoft Net Utility) (Citation: Red Canary Hospital Thwarted Ryuk October 2020) (Citation: Savill 1999) (Citation: Sophos New Ryuk Attack October 2020) Password Policy Discovery, Domain Groups, System Time Discovery, Domain Account, Local Account, System Service Discovery, Remote System Discovery, Network Share Discovery, System Network Connections Discovery, Network Share Connection Removal, Service Execution, Local Account, Additional Local or Domain Groups, Local Groups, SMB/Windows Admin Shares, Domain Account
S0521 BloodHound (Citation: CrowdStrike BloodHound April 2018) (Citation: DHS/CISA Ransomware Targeting Healthcare October 2020) (Citation: FireEye KEGTAP SINGLEMALT October 2020) (Citation: FoxIT Wocao December 2019) (Citation: GitHub Bloodhound) (Citation: Mandiant FIN12 Oct 2021) (Citation: Sophos New Ryuk Attack October 2020) Domain Groups, Group Policy Discovery, Archive Collected Data, Password Policy Discovery, Local Groups, Domain Account, Local Account, System Owner/User Discovery, Remote System Discovery, Native API, PowerShell, Domain Trust Discovery
S0367 Emotet (Citation: CIS Emotet Apr 2017) (Citation: CIS Emotet Dec 2018) (Citation: CrowdStrike Grim Spider May 2019) (Citation: ESET Emotet Nov 2018) (Citation: Geodo) (Citation: Kaspersky Emotet Jan 2019) (Citation: Malwarebytes Emotet Dec 2017) (Citation: Picus Emotet Dec 2018) (Citation: Red Canary Emotet Feb 2019) (Citation: Secureworks Emotet Nov 2018) (Citation: Sophos New Ryuk Attack October 2020) (Citation: Symantec Emotet Jul 2018) (Citation: Talos Emotet Jan 2019) (Citation: Trend Micro Banking Malware Jan 2019) (Citation: Trend Micro Emotet Jan 2019) (Citation: US-CERT Emotet Jul 2018) System Owner/User Discovery, Lateral Tool Transfer, Archive Collected Data, Symmetric Cryptography, Credentials In Files, Password Guessing, Windows Management Instrumentation, Non-Standard Port, Binary Padding, Regsvr32, Custom Command and Control Protocol, SMB/Windows Admin Shares, Malicious File, Token Impersonation/Theft, Local Accounts, Registry Run Keys / Startup Folder, Spearphishing Link, Standard Encoding, Network Share Discovery, Web Protocols, Exfiltration Over C2 Channel, Embedded Payloads, Exploitation of Remote Services, Commonly Used Port, Email Collection, Scheduled Task, Credentials from Web Browsers, PowerShell, Deobfuscate/Decode Files or Information, Visual Basic, Uncommonly Used Port, Malicious Link, Masquerade Task or Service, Command Obfuscation, LSASS Memory, Network Sniffing, Reflective Code Loading, Encrypted/Encoded File, Windows Command Shell, Spearphishing Attachment, Email Account, Software Packing, Process Hollowing, Process Discovery, Dynamic-link Library Injection, Local Email Collection, Windows Service, Encrypted Channel, Native API, Wi-Fi Discovery
S0363 Empire (Citation: CrowdStrike Grim Spider May 2019) (Citation: DHS/CISA Ransomware Targeting Healthcare October 2020) (Citation: EmPyre) (Citation: FireEye KEGTAP SINGLEMALT October 2020) (Citation: GitHub ATTACK Empire) (Citation: Github PowerShell Empire) (Citation: Mandiant FIN12 Oct 2021) (Citation: NCSC Joint Report Public Tools) (Citation: PowerShell Empire) Video Capture, Distributed Component Object Model, LLMNR/NBT-NS Poisoning and SMB Relay, System Network Configuration Discovery, PowerShell, Domain Trust Discovery, Keylogging, Command Obfuscation, Local Account, Screen Capture, Network Service Discovery, Credentials In Files, Archive Collected Data, Group Policy Modification, Exfiltration Over C2 Channel, Commonly Used Port, System Information Discovery, Clipboard Data, Exploitation for Privilege Escalation, Automated Exfiltration, Accessibility Features, Automated Collection, Group Policy Discovery, Domain Account, Security Support Provider, SSH, Kerberoasting, SID-History Injection, Path Interception by Unquoted Path, Registry Run Keys / Startup Folder, Network Share Discovery, Path Interception by Search Order Hijacking, Golden Ticket, Exploitation of Remote Services, Service Execution, Exfiltration to Code Repository, File and Directory Discovery, Credential API Hooking, Path Interception by PATH Environment Variable, Native API, Windows Management Instrumentation, Process Injection, Pass the Hash, Browser Information Discovery, MSBuild, Private Keys, Exfiltration to Cloud Storage, Web Protocols, Access Token Manipulation, Network Sniffing, Local Email Collection, Windows Command Shell, Bidirectional Communication, Credentials from Web Browsers, Security Software Discovery, Local Account, Dylib Hijacking, System Network Connections Discovery, Scheduled Task, LSASS Memory, Asymmetric Cryptography, Create Process with Token, Windows Service, Command and Scripting Interpreter, Process Discovery, Ingress Tool Transfer, Timestomp, Shortcut Modification, DLL Search Order Hijacking, Domain Account, System Owner/User Discovery, Bypass User Account Control, Silver Ticket
S0575 Conti (Citation: CarbonBlack Conti July 2020) (Citation: CrowdStrike Wizard Spider October 2020) (Citation: Cybereason Conti Jan 2021) (Citation: Cybleinc Conti January 2020) (Citation: Mandiant FIN12 Oct 2021) (Citation: Microsoft Ransomware as a Service) SMB/Windows Admin Shares, Network Share Discovery, Deobfuscate/Decode Files or Information, Service Stop, File and Directory Discovery, System Network Configuration Discovery, Data Encrypted for Impact, Remote System Discovery, Obfuscated Files or Information, Inhibit System Recovery, System Network Connections Discovery, Dynamic-link Library Injection, Taint Shared Content, Windows Command Shell, Process Discovery, Native API
S0659 Diavol (Citation: DFIR Diavol Ransomware December 2021) (Citation: FBI Flash Diavol January 2022) (Citation: Fortinet Diavol July 2021) (Citation: Microsoft Ransomware as a Service) Data Destruction, Disable or Modify Tools, System Owner/User Discovery, Data Encrypted for Impact, Service Stop, File and Directory Discovery, Web Protocols, Process Discovery, Network Share Discovery, SMB/Windows Admin Shares, Internal Defacement, Steganography, System Network Configuration Discovery, Obfuscated Files or Information, Remote System Discovery, Native API, System Information Discovery, Ingress Tool Transfer, Inhibit System Recovery
S0504 Anchor (Citation: Anchor_DNS) (Citation: Cyberreason Anchor December 2019) (Citation: Medium Anchor DNS July 2020) (Citation: Microsoft Ransomware as a Service) Non-Application Layer Protocol, Windows Command Shell, Ingress Tool Transfer, Execution Guardrails, System Information Discovery, Scheduled Task, Cron, Unix Shell, Web Protocols, Code Signing, DNS, Windows Service, Obfuscated Files or Information, System Network Configuration Discovery, File Deletion, Software Packing, NTFS File Attributes, Service Execution, SMB/Windows Admin Shares, Fallback Channels
S0024 Dyre (Citation: CrowdStrike Wizard Spider March 2019) (Citation: Dyreza) (Citation: Dyzap) (Citation: Forbes Dyre May 2017) (Citation: Malwarebytes Dyreza November 2015) (Citation: Malwarebytes TrickBot Sep 2019) (Citation: Sophos Dyreza April 2015) (Citation: Symantec Dyre June 2015) System Network Configuration Discovery, System Owner/User Discovery, System Checks, Local Data Staging, Ingress Tool Transfer, Dynamic-link Library Injection, Scheduled Task, Deobfuscate/Decode Files or Information, Web Protocols, System Information Discovery, Software Packing, Process Injection, Software Discovery, Windows Service, Exfiltration Over C2 Channel, System Service Discovery
S0190 BITSAdmin (Citation: Mandiant FIN12 Oct 2021) (Citation: Microsoft BITSAdmin) Lateral Tool Transfer, Exfiltration Over Unencrypted Non-C2 Protocol, Ingress Tool Transfer, BITS Jobs
S0359 Nltest (Citation: DFIR Ryuk 2 Hour Speed Run November 2020) (Citation: DFIR Ryuk in 5 Hours October 2020) (Citation: DFIR Ryuk's Return October 2020) (Citation: FireEye KEGTAP SINGLEMALT October 2020) (Citation: Mandiant FIN12 Oct 2021) (Citation: Nltest Manual) (Citation: Red Canary Hospital Thwarted Ryuk October 2020) (Citation: Sophos New Ryuk Attack October 2020) Domain Trust Discovery, Remote System Discovery, System Network Configuration Discovery
S0534 Bazar (Citation: Bazaloader) (Citation: CrowdStrike Wizard Spider October 2020) (Citation: Cybereason Bazar July 2020) (Citation: FireEye KEGTAP SINGLEMALT October 2020) (Citation: KEGTAP) (Citation: Microsoft Ransomware as a Service) (Citation: NCC Group Team9 June 2020) (Citation: Team9) File and Directory Discovery, Domain Trust Discovery, Asymmetric Cryptography, Domain Account, Remote System Discovery, Malicious Link, Network Share Discovery, Process Injection, BITS Jobs, Windows Command Shell, PowerShell, Encrypted/Encoded File, Security Software Discovery, Virtualization/Sandbox Evasion, Process Doppelgänging, Clear Persistence, Disable or Modify Tools, Indicator Removal, Data from Local System, Dynamic API Resolution, System Language Discovery, System Time Discovery, Process Discovery, Multi-Stage Channels, Query Registry, Match Legitimate Name or Location, Software Discovery, Symmetric Cryptography, Winlogon Helper DLL, Masquerade Task or Service, System Network Configuration Discovery, Time Based Evasion, System Owner/User Discovery, Code Signing, File Deletion, Fallback Channels, Web Protocols, Spearphishing Link, Ingress Tool Transfer, Local Account, Scheduled Task, Web Service, Double File Extension, Deobfuscate/Decode Files or Information, Windows Management Instrumentation, Process Hollowing, Native API, Shortcut Modification, Registry Run Keys / Startup Folder, System Information Discovery, Software Packing, Domain Generation Algorithms
S0446 Ryuk (Citation: Bleeping Computer - Ryuk WoL) (Citation: CrowdStrike Ryuk January 2019) (Citation: CrowdStrike Wizard Spider October 2020) (Citation: DFIR Ryuk 2 Hour Speed Run November 2020) (Citation: DFIR Ryuk in 5 Hours October 2020) (Citation: DFIR Ryuk's Return October 2020) (Citation: DHS/CISA Ransomware Targeting Healthcare October 2020) (Citation: FireEye FIN6 Apr 2019) (Citation: FireEye KEGTAP SINGLEMALT October 2020) (Citation: FireEye Ryuk and Trickbot January 2019) (Citation: Mandiant FIN12 Oct 2021) (Citation: Microsoft Ransomware as a Service) (Citation: Red Canary Hospital Thwarted Ryuk October 2020) (Citation: Sophos New Ryuk Attack October 2020) Obfuscated Files or Information, Disable or Modify Tools, Native API, Process Discovery, SMB/Windows Admin Shares, File and Directory Discovery, Inhibit System Recovery, System Language Discovery, Domain Accounts, Windows Command Shell, Match Legitimate Name or Location, Service Stop, Windows File and Directory Permissions Modification, Scheduled Task, System Information Discovery, Traffic Signaling, Data Encrypted for Impact, Process Injection, Masquerading, Registry Run Keys / Startup Folder, System Network Configuration Discovery, Access Token Manipulation
S0154 Cobalt Strike (Citation: cobaltstrike manual) (Citation: CrowdStrike Wizard Spider October 2020) (Citation: DFIR Ryuk 2 Hour Speed Run November 2020) (Citation: DFIR Ryuk in 5 Hours October 2020) (Citation: DFIR Ryuk's Return October 2020) (Citation: DHS/CISA Ransomware Targeting Healthcare October 2020) (Citation: FireEye KEGTAP SINGLEMALT October 2020) (Citation: Mandiant FIN12 Oct 2021) (Citation: Sophos New Ryuk Attack October 2020) Domain Fronting, Sudo and Sudo Caching, Code Signing, Scheduled Transfer, JavaScript, Remote Desktop Protocol, Native API, Pass the Hash, Domain Accounts, Indicator Removal from Tools, Bypass User Account Control, System Network Configuration Discovery, Service Execution, PowerShell, Web Protocols, Application Layer Protocol, Data from Local System, Disable or Modify Tools, Dynamic-link Library Injection, Local Accounts, Multiband Communication, Keylogging, Distributed Component Object Model, Process Discovery, BITS Jobs, Process Hollowing, Software Discovery, Local Accounts, BITS Jobs, Remote Desktop Protocol, Internal Proxy, Exploitation for Privilege Escalation, Screen Capture, Process Argument Spoofing, Modify Registry, Domain Groups, System Network Connections Discovery, Protocol or Service Impersonation, Parent PID Spoofing, Token Impersonation/Theft, Protocol Tunneling, Windows Service, Visual Basic, Native API, Parent PID Spoofing, Process Injection, System Service Discovery, Timestomp, System Network Configuration Discovery, SSH, File and Directory Discovery, DNS, Token Impersonation/Theft, DNS, Bypass User Account Control, Process Hollowing, Scheduled Transfer, Security Account Manager, Local Groups, PowerShell, SSH, Python, Reflective Code Loading, Remote System Discovery, LSASS Memory, Screen Capture, Commonly Used Port, Query Registry, Domain Account, Data Transfer Size Limits, Network Service Discovery, Pass the Hash, Domain Accounts, Network Share Discovery, Web Protocols, Asymmetric Cryptography, Windows Command Shell, Process Injection, Browser Session Hijacking, Deobfuscate/Decode Files or Information, Remote System Discovery, Visual Basic, Protocol Tunneling, Exploitation for Privilege Escalation, Windows Management Instrumentation, Keylogging, Browser Session Hijacking, Windows Remote Management, Symmetric Cryptography, Non-Application Layer Protocol, Standard Encoding, Ingress Tool Transfer, Indicator Removal from Tools, Domain Account, Internal Proxy, Service Execution, Windows Remote Management, SMB/Windows Admin Shares, Rundll32, Windows Service, File Transfer Protocols, Python, SMB/Windows Admin Shares, Windows Management Instrumentation, Security Account Manager, Make and Impersonate Token, Exploitation for Client Execution, Network Service Discovery, Timestomp, Distributed Component Object Model, Multiband Communication, Commonly Used Port, Network Share Discovery, Custom Command and Control Protocol, Process Discovery, Make and Impersonate Token, Data from Local System, Office Template Macros, Windows Command Shell, Obfuscated Files or Information
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: DHS/CISA Ransomware Targeting Healthcare October 2020) (Citation: FireEye KEGTAP SINGLEMALT October 2020) DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets
S0349 LaZagne (Citation: GitHub LaZagne Dec 2018) (Citation: GitHub LaZange Dec 2018) (Citation: Mandiant FIN12 Oct 2021) Credentials In Files, Windows Credential Manager, LSA Secrets, /etc/passwd and /etc/shadow, Credentials from Web Browsers, LSASS Memory, Cached Domain Credentials, Credentials from Password Stores, Keychain, Proc Filesystem
S0097 Ping (Citation: DFIR Ryuk in 5 Hours October 2020) (Citation: DFIR Ryuk's Return October 2020) (Citation: DHS/CISA Ransomware Targeting Healthcare October 2020) (Citation: TechNet Ping) Remote System Discovery
S0632 GrimAgent (Citation: Group IB GrimAgent July 2021) Registry Run Keys / Startup Folder, Windows Command Shell, Scheduled Task, Data from Local System, System Owner/User Discovery, Asymmetric Cryptography, File and Directory Discovery, Ingress Tool Transfer, System Network Configuration Discovery, Standard Encoding, Symmetric Cryptography, Native API, Mutual Exclusion, System Language Discovery, Time Based Evasion, System Location Discovery, Clear Persistence, Deobfuscate/Decode Files or Information, Junk Data, File Deletion, Obfuscated Files or Information, Web Protocols, System Information Discovery, Exfiltration Over C2 Channel, Binary Padding
S1071 Rubeus (Citation: DFIR Ryuk 2 Hour Speed Run November 2020) (Citation: DFIR Ryuk's Return October 2020) (Citation: FireEye KEGTAP SINGLEMALT October 2020) (Citation: GitHub Rubeus March 2023) (Citation: Mandiant FIN12 Oct 2021) Kerberoasting, Domain Trust Discovery, Silver Ticket, AS-REP Roasting, Golden Ticket
S0552 AdFind (Citation: DFIR Ryuk 2 Hour Speed Run November 2020) (Citation: DFIR Ryuk's Return October 2020) (Citation: FireEye FIN6 Apr 2019) (Citation: FireEye Ryuk and Trickbot January 2019) (Citation: Mandiant FIN12 Oct 2021) (Citation: Red Canary Hospital Thwarted Ryuk October 2020) Domain Trust Discovery, Domain Groups, System Network Configuration Discovery, Remote System Discovery, Domain Account
S0029 PsExec (Citation: CrowdStrike Grim Spider May 2019) (Citation: FireEye KEGTAP SINGLEMALT October 2020) (Citation: Mandiant FIN12 Oct 2021) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) SMB/Windows Admin Shares, Windows Service, Lateral Tool Transfer, Service Execution, Domain Account

References

  1. Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.
  2. The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.
  3. DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.
  4. John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.
  5. Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
  6. Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.
  7. Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020.
  8. Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.
  9. The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.
  10. The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020.
  11. Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020.
  12. Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.
  13. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024.
  14. Brewster, T. (2017, May 4). https://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates/#601c77842a0a. Retrieved June 15, 2020.
  15. Feeley, B. and Stone-Gross, B. (2019, March 20). New Evidence Proves Ongoing WIZARD SPIDER / LUNAR SPIDER Collaboration. Retrieved June 15, 2020.
  16. Umawing, J. (2019, September 3). TrickBot adds new trick to its arsenal: tampering with trusted texts. Retrieved June 15, 2020.
  17. Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.
  18. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  19. Secureworks Counter Threat Unit. (2022, March 1). Gold Blackburn Threat Profile. Retrieved June 15, 2023.
  20. Villadsen, O., et al. (2021, October 13). Trickbot Rising - Gang Doubles Down on Infection Efforts to Amass Network Footholds. Retrieved June 15, 2023.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.