Unraveling Wizard Spider's Operations

Industry: N/A | Level: Tactical | Source: Hacker News

Intelligence collected from Prodraft revealed the nuances of the cybercriminal group, Wizard Spider's organizational structure, and goals. The group's financial successes provides funding to advance their research and development plans, maintaining a effective toolset is a priority for the group. A hash cracking system was discovered by the team capable of unraveling "LM:NTLM hashes, cached domain credentials, Kerberos 5 TGS-REP/AS-REP tickets, KeePass files, MS Office 2013 files, and other types of common hashes." Additionally, a cold-calling system used to pressure non-responsive victims into complying with the group's ransom was reviewed. Wizard Spider's primary method of initial access comes from distributing spam emails containing Qakbot malware or proxy malware such as SystemBC. Additionally, the group is found to be leveraging an exploit kit incorporating the Log4Shell vulnerability. Once the network has been infiltrated, the threat group conducts reconnaissance to identify high-value targets. Cobalt Strike is deployed to assist with lateral movement and the group prioritizes obtaining domain admin privileges to be able to deploy Conti ransomware. Various tools are identified to be used by Wizard Spider including numerous PowerShell scripts, Rubeus, SecretsDump, Adfind, Mimikatz, FileZilla, and Rclone.

Anvilogic Use Cases:

• Executable Create Script Process
• Rubeus Commands
• Locate Credentials
• Query Registry
• NTDSUtil.exe execution
• SecretsDump Credential Harvest
• Adfind Execution
• Adfind Commands
• Mimikatz
• Rclone Execution
• Windows FTP Exfiltration