The inner workings of a cybercriminal group known as the Wizard Spider have been uncovered, which sheds light on its organizational structure and motivations.
“Most of Wizard Spider’s efforts go to hacking European and US businesses, using a special cracking tool to breach some of their attacking high-value targets,” said Swiss cybersecurity company Prodaft. Says In a new report shared with The Hacker News. “Some of the money they receive is returned to the project to develop new equipment and talent.”
Wizard Spider, also known as Gold Blackburn, is thought to be operating outside of Russia and refers to a financially motivated threat actor linked to the Trickbot botnet, a modular malware that was officially shut down earlier this year for advanced malware such as MarketBackDore. .
That’s not all. Trickbot operators have collaborated extensively with Conti, another Russia-linked cybercrime group notorious for offering its partners ransomware-a-a-service packages.
Gold Ulrich (aka Grim Spider), the group responsible for distributing ransomware to Conti (formerly Ryuk), has historically gained the initial access granted by Trikbot to deploy ransomware against the target network.
“Gold Ulrik Gold consists of some or all of the same operators as Blackburn, the threat group responsible for distributing malware such as Trickbot, MarketLoader and Beaure Loader,” said cybersecurity firm SecureWorks. Comments In the profile of cyber criminal syndicate.
Noting that the group was “capable of monetizing multiple aspects of its operations”, PRODAFT emphasized the adversary’s ability to expand its criminal activities, which it said was made possible by the gang’s “extraordinary profits”.
The general attack chains associated with the group begin with spam campaigns that distribute malware such as Qakbot (aka QBot) and SystemBC, using the locker software as a launchpad to drop additional equipment for lateral movement, including cobalt strikes before launching.
In addition to utilizing a wide range of utilities for certificate theft and search, Wizard Spider is known for using an exploit toolkit that takes advantage of known security vulnerabilities such as Log4Shell to get its first foothold in vulnerable networks.
A cracking station can also be used that hosts cracked hashes related to domain certificates, Kerberos tickets and KeePass files, among others.
What’s more, the group has invested in a custom VoIP setup that hires non-responsive victims to put extra pressure on telephone operators and force them to pay after a ransomware attack.
This is not the first time the team has adopted such a strategy. Last year, Microsoft detailed a BazarLoader campaign called BazaCall that employed bogus call centers to lure unsuspecting victims to install ransomware on their systems.
“The group’s command includes a large number of compromised devices and employs a highly distributed professional workflow to maintain security and a high operational tempo,” the researchers said.
“It’s responsible for massive spam on millions of devices, as well as ransomware attacks on compact data breaches and high-value targets.”