Adversary

Wizard Spider

Origins

Eastern Europe, Russian Federation

Community identifiers

TrickBot, TrickLoader, TheTrick, TotBrick, Ryuk, UNC1878, Anchor, DNS, Conti, BazarLoader, Kegtap

Wizard Spider is a criminal group behind the core development and distribution of a sophisticated arsenal of criminal tools, that allow them to run multiple different types of operations.

The group surfaced in September 2016 with their commodity banking malware most commonly known as TrickBot. Their operations changed significantly in August 2018 when they began running targeted ransomware operations using Ryuk, followed by Conti ransomware since May 2020.

Wizard Spider’s corpus of malware is not openly advertised on criminal forums indicating that Wizard Spider likely only sells access to, or works alongside, trusted criminal groups. Origins of Wizard Spider’s operations are very similar to those of the actor that operated the Dyre malware, which ceased activity in November 2015. CrowdStrike Intelligence assesses with high confidence that some members of the former Dyre group play a key role in Wizard Spider.

Other tools operated by Wizard Spider, not already mentioned above, include:

Anchor
Sidoh
Gophe
RelayMTA
MagneticScraper
BazarLoader

Technical Tradecraft

TrickBot is a modular malware that allows for the deployment of additional capabilities, such as data harvesting, reconnaissance of the victim’s local network configuration and lateral movement without exploitation.
Anchor uses a DNS-based command-and-control (C2) protocol that allows connections to a remote C2 server for tasking.
MagneticScraper is used for stealing credit card data in both Track 1 and Track 2 formats from PoS systems.
Ryuk is a variant of the Hermes ransomware that has been tailored to execute in an enterprise environment. It uses RSA-2048 and AES-256 for encrypting files