Researchers identify the details on Billion-Dollar Wizard Spider Cybercrime Gang

A new cyber criminal group called Wizard Spider has been exposed by security researchers, with details on its motive and organizational structure. The Wizard Spider is an hacking entity that targets European and US organizations with a unique hacking tool used to breach high value entities, said PRODAFT, a cybersecurity company based out of Switzerland.

Details on Wizard Spider Gang

This Wizard Spider aka Gold Blackburn is suspected to be from Russia and might be linked to the TrickBot Botnet, a modular malware which was discontinued this year and improvised with Bazarbackdoor.

The TrickBot operators have also been working with Conti-ransomware operators from Russia that sells RaaS for malicious operations. Gold Ultrick (aka Grim Spider) is the group that has been distributing the Conti ransomware is exploiting the access granted via TrickBot to deploy ransomware targeted networks.

“Gold Ulrick is comprised of some or all of the same operators as Gold Blackburn, the threat group responsible for the distribution of malware such as TrickBot, BazarLoader and Beur Loader,” Secureworks said in a profile of the cybercriminal syndicate.

The ideal attack chains begin with spam campaigns that distribute payloads such as Qakbot and SystemBC, using them as launchpads to drop further tools, including Cobalt Strike for lateral movement, before executing the locker software. Besides the above attack vector, Wizard Spifer is known to use exploitation toolkits that make use of recently disclosed vulnerabilities including Log4Shell to gain an initial foothold on the target networks.

The Wizard Spider group has also invested in a VoIP setup that can hire telephone operators to cold-call non-responsive victims in a bid to put extra pressure and force them to pay the ransom.

Last year, a similar act was reported by Microsoft about BazarLoader campaign dubbed BazaCall, when the campaign used phony call centers to lure unsuspecting victims into installing ransomware on their systems.

“The group has huge numbers of compromised devices at its command and employs a highly distributed professional workflow to maintain security and a high operational tempo,” the security researchers said.

Subscribe to our newsletter for daily alerts on cyber events, you can also follow us on Facebook, Linkedin, and Twitter. You can reach out to us via Twitter/ Facebook or mail us at admin@thecybersecuritytimes.com for advertising requests.