Wizard Spider

OriginRússia

Techniques (MITRE ATT&CK)64

SourceMITRE ATT&CK

Also known as:UNC1878TEMP.MixMasterGrim SpiderFIN12GOLD BLACKBURNITG23Periwinkle TempestDEV-0193Pistachio TempestDEV-0237

Vexday analysis

Wizard Spider é um grupo de ameaça de origem russa, motivado financeiramente, conhecido pela criação e implantação do TrickBot desde pelo menos 2016. O grupo dispõe de um arsenal diversificado de ferramentas e conduziu campanhas de ransomware contra organizações variadas, incluindo grandes corporações e hospitais. Rastreado pelo MITRE ATT&CK sob o identificador G0102, possui 64 técnicas documentadas e 4 CVEs atribuídas, sendo também referenciado pelos aliases UNC1878, TEMP.MixMaster, Grim Spider, FIN12, GOLD BLACKBURN e ITG23.

Techniques (MITRE ATT&CK) 64

How the group operates, mapped to the MITRE ATT&CK matrix and organized by the phases of an attack.

Resource development

Email Accounts Tool Code Signing Certificates

Initial access

Spearphishing Attachment Spearphishing Link

Execution

Windows Management Instrumentation Scheduled Task PowerShell Windows Command Shell Malicious Link Malicious File Service Execution

Persistence

External Remote Services Local Account Domain Account Windows Service Registry Run Keys / Startup Folder Winlogon Helper DLL

Credential access

LSASS Memory Security Account Manager NTDS Group Policy Preferences Windows Credential Manager Name Resolution Poisoning and SMB Relay Kerberoasting

Discovery

System Network Configuration Discovery Remote System Discovery System Owner/User Discovery System Information Discovery Domain Account Network Share Discovery Security Software Discovery Backup Software Discovery

Lateral movement

Remote Services Remote Desktop Protocol SMB/Windows Admin Shares Windows Remote Management Exploitation of Remote Services Pass the Hash Lateral Tool Transfer

Collection

Data from Local System Data Staged Local Data Staging Archive via Utility

Command and control

Web Protocols Ingress Tool Transfer

Exfiltration

Exfiltration Over C2 Channel Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration to Cloud Storage

Impact

Service Stop Inhibit System Recovery

defense-impairment

Modify Registry Windows Permissions Code Signing Disable or Modify Tools

stealth

Command Obfuscation Masquerade Task or Service Process Injection Dynamic-link Library Injection File Deletion Valid Accounts Domain Accounts BITS Jobs Rundll32

Exploited vulnerabilities 4

CVEs this group is known to exploit, per MITRE ATT&CK. Ordered by real-world severity.

CVE-2014-7169CRITICALEPSS 100%KEV CVE-2020-1472MEDIUMEPSS 100%KEV CVE-2016-6662EPSS 68%CVE-2017-0176EPSS 46%

Wizard Spider uses real techniques and exploits real flaws. TrueHacking's AI Autonomous Pentest simulates these attacks against your infrastructure and brings more security to your application.

Explore the AI Autonomous Pentest →