This is very likely an attempt by TrickBot to replenish their victim base to offset any losses they may have experienced as a result of the takedown attempt. Downloaded TrickBot samples since October 14 have used group tags prefixed with mor - for example, mor131. In a timely turn of events following a short break, MUMMY SPIDER ’s Emotet malware has resumed spamming activity this week, and we have since observed MUMMY SPIDER deploying TrickBot to Emotet-infected hosts. TrickBot Activity Tracking (July 1 to October 14, 2020) (click image to enlarge) However, in spite of this, TrickBot activity has returned to its usual rapid pace, and the impact of the disruption operation was manifested as a short-term setback for WIZARD SPIDER.įigure 1. Since the disruption operation began on September 21, 2020, we have observed a definite impact on the TrickBot network, with almost 10,000 unique downloads of the non-standard configuration identified.
The operation against the TrickBot network was orchestrated to take down the botnet, thus reducing BGH infections by WIZARD SPIDER’s Ryuk and Conti ransomware families, with an ultimate goal of protecting the forthcoming U.S. This week, widespread public reporting has attributed this disruption attempt against TrickBot to multiple cybersecurity vendors.
This action resulted in an unknown number of bots being isolated from the TrickBot network and unreachable through the standard C2 channel. The configuration files instructed infected hosts to communicate with the command-and-control (C2) server address 0.0.0.1 on TCP port 1. On September 21 and 22, 2020, CrowdStrike Intelligence observed a non-standard configuration file being distributed to victims infected with TrickBot. This has made WIZARD SPIDER’s TrickBot malware an extremely prevalent and widely tracked target. TrickBot has played an integral part in enabling BGH operations and poses a severe threat across all sectors and geographies. TrickBot has remained a primary tool for WIZARD SPIDER and has grown to infect upward of one million systems worldwide. The key observations covered below are based on CrowdStrike ® Intelligence analysis of BazarLoader, Conti and Ryuk operations. The group has made significant improvements to their arsenal recently and has both developed new tools and modified existing ones. Over recent months, WIZARD SPIDER has demonstrated their resilience and dedication to criminal operations by operating multiple ransomware families with differing modi operandi, using TrickBot and BazarLoader to infiltrate victim environments and reacting to attempts to stop them in their tracks. WIZARD SPIDER has developed their tools over a number of years, and they continue to evolve the tactics, techniques and procedures (TTPs) needed to monetize their criminal operations in an efficient and effective manner. Their toolset covers the entirety of the kill chain, from delivery to post-exploitation tools and big game hunting (BGH) ransomware, enabling them to conduct a wide range of criminal activities against enterprise environments. This Russia-based eCrime group originally began deploying TrickBot for the purpose of conducting financial fraud in 2016, but has since evolved into a highly capable group with a diverse and potent arsenal, including Ryuk, Conti and BazarLoader. WIZARD SPIDER is an established, high-profile and sophisticated eCrime group, originally known for the creation and operation of the TrickBot banking malware.