Trickbot Group

Threat Actor updated 5 months ago (2024-05-04T20:55:16.055Z)

Download STIX

Preview STIX

The Trickbot Group, also known as ITG23, Wizard Spider, and DEV-0193, is a threat actor group notorious for its malicious activities. The group has been consistently analyzed by IBM Security X-Force researchers due to their development and use of several crypters. In the fall of 2020, efforts were made to disrupt Trickbot's operations, prompting Emotet to assist in ITG23’s recovery by downloading Trickbot malware to infected machines. Notably, each individual Trickbot sample beacons to its Command & Control (C2) infrastructure with a statically defined “gtag”, which is believed to act as an identifier for distinct Trickbot customers. Key members of the Trickbot group include Sergey Loguntsov, Artem Kurov, Vadym Valiakhmetov, and Maksim Rudenskiy, who served in roles ranging from developers to coders. Vladimir Dunaev, a Russian national from Amur Oblast, was also identified as an integral member of the criminal Trickbot group, which became infamous for its sophisticated information-stealing Trojan that defrauded innocent internet users for years. The group notoriously abuses the trust of certificate authorities by using signed loaders and malware to evade security product detection. In response to their activities, the U.S. Department of the Treasury sanctioned several individuals involved in management and procurement for the Trickbot group, citing their ties to Russian intelligence services. The group primarily targeted non-Russian entities, including financial institutions and hospitals, with ransomware campaigns. According to the U.S. Treasury Department, the group’s aims are aligned with those of the Russian government. The sanctioned individuals included administrators, managers, developers, and coders who have materially supported the operations of the Trickbot group.

Description last updated: 2024-05-04T16:49:03.704Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Wizard Spider is a possible alias for Trickbot Group. Wizard Spider, also known as ITG23, DEV-0193, Trickbot Group, Fin12, and Grimspider, is a significant threat actor in the cybercrime landscape. This group has been continually analyzed by IBM Security X-Force researchers for its use of several crypters and is credited with creating the notorious, ev	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Malware

Russia

Fraud

Trojan

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The TrickBot Malware is associated with Trickbot Group. TrickBot is a notorious malware that has been used extensively by cybercriminals to exploit and damage computer systems. It operates as a crimeware-as-a-service platform, infecting systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can stea	Unspecified	10
The Dyre Malware is associated with Trickbot Group. Dyre, also known as Dyreza or Dyzap, is a banking Trojan that was initially designed to monitor online banking transactions with the aim of stealing passwords, money, or both. It first emerged in 2009 and 2010, targeting victim bank accounts held at various U.S.-based financial institutions. These i	Unspecified	2

Source Document References

Information about the Trickbot Group Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	a year ago	UK and US sanctioned 11 members of Russia-based TrickBot gang
CERT-EU	a year ago	US, UK sanction members of Russian cybercrime ring \| #cybercrime \| #infosec \| National Cyber Security Consulting
CERT-EU	10 months ago	Russian hacker pleads guilty to Trickbot malware conspiracy
CERT-EU	10 months ago	TrickBot developer pleads guilty, faces up to 35 years in prison
CERT-EU	a year ago	TrickBot malware dev pleads guilty, faces 35 years in prison
CERT-EU	a year ago	Russian pleads guilty in US to role in Trickbot malware scheme
SecurityIntelligence.com	a year ago	ITG23 Crypters Highlight Cooperation Between Cybercriminal Groups
CERT-EU	2 years ago	US, UK Sanction Russians Tied to TrickBot Hacking Gang \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker - National Cyber Security
CERT-EU	a year ago	Russian hackers who backed Ukraine war and targeted UK hospitals during COVID pandemic are hit with sanctions \| UK News \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	a year ago	US, UK Penalise Russian Trickbot Cyber Gang Members
CERT-EU	a year ago	UK and US sanction 11 Russians connected to notorious Trickbot group
Trend Micro	a year ago	TrickBot & Conti Sanctions for CISOs & Board Members
CERT-EU	2 years ago	Cyber security week in review: February, 10
DARKReading	a year ago	Trickbot, Conti Sanctions Affect Top Cybercrime Brass
CERT-EU	2 years ago	US, UK sanction 7 alleged members of infamous Russian Trickbot hacking gang • TechCrunch \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware - National Cyber Security
CERT-EU	a year ago	Turns out even the NFL is worried about deepfakes
CERT-EU	a year ago	US Indicts Nine Russians Behind 'Trickbot' Malware \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	a year ago	11 alleged Conti criminals hit with UK and US sanctions \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	a year ago	Russian ransomware group hit with new sanctions \| #ransomware \| #cybercrime \| National Cyber Security Consulting
Malwarebytes	2 years ago	TrickBot gang members sanctioned after pandemic ransomware attacks