Wizard Spider
Aliases: UNC1878, TEMP.MixMaster, Grim Spider, FIN12, GOLD BLACKBURN, ITG23, Periwinkle Tempest, DEV-0193
Wizard Spider is a Russia-based financially motivated threat group originally known for the creation and deployment of TrickBot since at least 2016. Wizard Spider possesses a diverse aresenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.
Open interactive actor investigation
ATT&CK techniques
T1136.001
Local AccountT1588.003
Code Signing CertificatesT1210
Exploitation of Remote ServicesT1560.001
Archive via UtilityT1059.003
Windows Command ShellT1047
Windows Management InstrumentationT1588.002
ToolT1543.003
Windows ServiceT1021.002
SMB/Windows Admin SharesT1074
Data StagedT1078.002
Domain AccountsT1055
Process InjectionT1021
Remote ServicesT1021.001
Remote Desktop ProtocolT1550.002
Pass the HashT1222.001
Windows File and Directory Permissions ModificationT1570
Lateral Tool TransferT1204.002
Malicious FileT1053.005
Scheduled TaskT1027.010
Command ObfuscationT1070.004
File DeletionT1552.006
Group Policy PreferencesT1048.003
Exfiltration Over Unencrypted Non-C2 ProtocolT1518.001
Security Software DiscoveryT1218.011
Rundll32T1558.003
KerberoastingT1059.001
PowerShellT1567.002
Exfiltration to Cloud StorageT1112
Modify RegistryT1490
Inhibit System RecoveryT1133
External Remote ServicesT1547.004
Winlogon Helper DLLT1036.004
Masquerade Task or ServiceT1087.002
Domain AccountT1518
Software DiscoveryT1071.001
Web ProtocolsT1553.002
Code SigningT1136.002
Domain AccountT1074.001
Local Data StagingT1557.001
LLMNR/NBT-NS Poisoning and SMB RelayT1105
Ingress Tool TransferT1003.003
NTDST1016
System Network Configuration DiscoveryT1585.002
Email AccountsT1033
System Owner/User DiscoveryT1078
Valid AccountsT1204.001
Malicious LinkT1003.001
LSASS MemoryT1041
Exfiltration Over C2 ChannelT1566.001
Spearphishing AttachmentT1003.002
Security Account ManagerT1489
Service StopT1566.002
Spearphishing LinkT1562.001
Disable or Modify ToolsT1018
Remote System DiscoveryT1005
Data from Local SystemT1082
System Information DiscoveryT1555.004
Windows Credential ManagerT1135
Network Share DiscoveryT1569.002
Service ExecutionT1547.001
Registry Run Keys / Startup FolderT1021.006
Windows Remote ManagementT1055.001
Dynamic-link Library InjectionT1197
BITS JobsT1069.002
Domain GroupsT1482
Domain Trust DiscoveryT1090
Proxy
Local AccountT1588.003
Code Signing CertificatesT1210
Exploitation of Remote ServicesT1560.001
Archive via UtilityT1059.003
Windows Command ShellT1047
Windows Management InstrumentationT1588.002
ToolT1543.003
Windows ServiceT1021.002
SMB/Windows Admin SharesT1074
Data StagedT1078.002
Domain AccountsT1055
Process InjectionT1021
Remote ServicesT1021.001
Remote Desktop ProtocolT1550.002
Pass the HashT1222.001
Windows File and Directory Permissions ModificationT1570
Lateral Tool TransferT1204.002
Malicious FileT1053.005
Scheduled TaskT1027.010
Command ObfuscationT1070.004
File DeletionT1552.006
Group Policy PreferencesT1048.003
Exfiltration Over Unencrypted Non-C2 ProtocolT1518.001
Security Software DiscoveryT1218.011
Rundll32T1558.003
KerberoastingT1059.001
PowerShellT1567.002
Exfiltration to Cloud StorageT1112
Modify RegistryT1490
Inhibit System RecoveryT1133
External Remote ServicesT1547.004
Winlogon Helper DLLT1036.004
Masquerade Task or ServiceT1087.002
Domain AccountT1518
Software DiscoveryT1071.001
Web ProtocolsT1553.002
Code SigningT1136.002
Domain AccountT1074.001
Local Data StagingT1557.001
LLMNR/NBT-NS Poisoning and SMB RelayT1105
Ingress Tool TransferT1003.003
NTDST1016
System Network Configuration DiscoveryT1585.002
Email AccountsT1033
System Owner/User DiscoveryT1078
Valid AccountsT1204.001
Malicious LinkT1003.001
LSASS MemoryT1041
Exfiltration Over C2 ChannelT1566.001
Spearphishing AttachmentT1003.002
Security Account ManagerT1489
Service StopT1566.002
Spearphishing LinkT1562.001
Disable or Modify ToolsT1018
Remote System DiscoveryT1005
Data from Local SystemT1082
System Information DiscoveryT1555.004
Windows Credential ManagerT1135
Network Share DiscoveryT1569.002
Service ExecutionT1547.001
Registry Run Keys / Startup FolderT1021.006
Windows Remote ManagementT1055.001
Dynamic-link Library InjectionT1197
BITS JobsT1069.002
Domain GroupsT1482
Domain Trust DiscoveryT1090
Proxy