The inner workings and motivations of the Wizard Spider, cybercriminal organization has been revealed.
“Most of Wizard Spider’s efforts go into hacking European and U.S. businesses, with a special cracking tool used by some of their attackers to breach high-value targets,” Swiss cybersecurity company PRODAFT said in a new report shared with The Hacker News. They also invest some of their money in developing new tools and talents. “
Wizard Spider, also known as Gold Blackburn, is believed to operate out of Russia and refers to a financially motivated threat actor that’s been linked to the TrickBot botnet, a modular malware that was officially discontinued earlier this year in favor of improved malware such as BazarBackdoor.
But that’s not all. The TrickBot operators have also extensively cooperated with Conti, another Russia-linked cybercrime group notorious for offering ransomware-as-a-service packages to its affiliates.
Gold Ulrick, also known as Grim Spider, is the group that distributed the Conti ransomware. TrickBot has provided initial access to enable them to distribute the ransomware on targeted networks.
“Gold Ulrick is comprised of some or all of the same operators as Gold Blackburn, the threat group responsible for the distribution of malware such as TrickBot, BazarLoader and Beur Loader,” cybersecurity firm Secureworks notes in a profile of the cybercriminal syndicate.
Stating that the group is “capable of monetizing multiple aspects of its operations,” PRODAFT emphasized the adversary’s ability to expand its criminal enterprise, which it said is made possible by the gang’s “extraordinary profitability. “
Typical attack chains involving the group commence with spam campaigns that distribute malware such as Qakbot (aka QBot) and SystemBC, using them as launchpads to drop additional tools, including Cobalt Strike for lateral movement, before executing the locker software.
In addition to leveraging a wealth of utilities for credential theft and reconnaissance, Wizard Spider is known to use an exploitation toolkit that makes use of recently disclosed vulnerabilities such as Log4Shell to gain an initial foothold into victim networks.
Another feature is that the cracking station hosts cracked hashes related to domain credentials, Kerberos tickets and KeePass file, among other things.
The group also invested in custom VoIP equipment that allowed them to cold call non-responsive victims. This was done in an effort to increase pressure on the victim and force them into paying ransomware.
This isn’t the first time that the group uses such tactics. Microsoft last year described a BazarLoader campaign called BazaCall, which used phony phone centers to lure victims into paying ransomware.
” The group is armed with a large number of compromised devices and uses a distributed workflow that enables it to keep security high,” researchers stated.
“It’s responsible for a huge amount of spam across hundreds of millions and millions of devices as well as ransomware attacks against high-value targets and data breaches. “
