Trickbot Group

Threat Actor updated a month ago (2024-10-24T14:41:07.152Z)

Download STIX

Preview STIX

The Trickbot Group, also known as ITG23, Wizard Spider, or DEV-0193, is a cybercriminal entity notorious for its malicious activities. This threat actor group has been linked to Russian intelligence services and primarily targets non-Russian entities, including financial institutions and hospitals, with ransomware campaigns. The group's operations were disrupted in the fall of 2020 through joint efforts by Cyber Command and Microsoft. However, Emotet, another cybercrime group, quickly moved to assist Trickbot's recovery by downloading Trickbot malware onto infected machines. The Trickbot Group has been under constant analysis by IBM Security X-Force researchers who have noted the group's use of several crypters. These crypters are developed by the group itself and are used to evade security product detection by abusing the trust of certificate authorities. The group uses signed loaders and malware, which are identified by a statically defined "gtag" that beacons to its Command & Control (C2) infrastructure. Notably, the group has replaced the BazarLoader backdoor with its own malware to gain initial access to a victim's infrastructure during ransomware attacks. Key members of the Trickbot Group include Sergey Loguntsov and Artem Kurov, who worked as developers, Vadym Valiakhmetov, a coder known by the online monikers Weldon, Mentos, and Vasm, and Maksim Rudenskiy, a team lead for coders. Additionally, Vladimir Dunaev, from Amur Oblast in the far east of Russia, was identified as an integral member of the criminal group. The U.S. Department of the Treasury and the U.S. Department of Justice have taken actions against these individuals, including sanctions and legal proceedings, for their involvement in the group's operations.

Description last updated: 2024-10-22T17:43:03.572Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Wizard Spider is a possible alias for Trickbot Group. Wizard Spider, also known as ITG23, DEV-0193, Trickbot Group, Fin12, and Grimspider, is a prominent cybercrime group. As per IBM Security X-Force's research, this threat actor is responsible for developing several crypters and has been expanding the number and variety of channels it uses to distribu	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Malware

Russia

Trojan

Fraud

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The TrickBot Malware is associated with Trickbot Group. TrickBot is a notorious malware developed by cybercriminals to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. This malicious software can steal personal information, disrupt operations, or even hold data hostage for ransom. Vladimir Dunaev,	Unspecified	10
The Dyre Malware is associated with Trickbot Group. Dyre, also known as Dyreza or Dyzap, is a banking Trojan that was initially designed to monitor online banking transactions with the aim of stealing passwords, money, or both. It first emerged in 2009 and 2010, targeting victim bank accounts held at various U.S.-based financial institutions. These i	Unspecified	2

Source Document References

Information about the Trickbot Group Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	a month ago	Experts warn of a new wave of Bumblebee malware attacks
Securityaffairs	a year ago	UK and US sanctioned 11 members of Russia-based TrickBot gang
CERT-EU	a year ago	US, UK sanction members of Russian cybercrime ring \| #cybercrime \| #infosec \| National Cyber Security Consulting
CERT-EU	a year ago	Russian hacker pleads guilty to Trickbot malware conspiracy
CERT-EU	a year ago	TrickBot developer pleads guilty, faces up to 35 years in prison
CERT-EU	a year ago	TrickBot malware dev pleads guilty, faces 35 years in prison
CERT-EU	a year ago	Russian pleads guilty in US to role in Trickbot malware scheme
SecurityIntelligence.com	a year ago	ITG23 Crypters Highlight Cooperation Between Cybercriminal Groups
CERT-EU	2 years ago	US, UK Sanction Russians Tied to TrickBot Hacking Gang \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker - National Cyber Security
CERT-EU	a year ago	Russian hackers who backed Ukraine war and targeted UK hospitals during COVID pandemic are hit with sanctions \| UK News \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	a year ago	US, UK Penalise Russian Trickbot Cyber Gang Members
CERT-EU	a year ago	UK and US sanction 11 Russians connected to notorious Trickbot group
Trend Micro	a year ago	TrickBot & Conti Sanctions for CISOs & Board Members
CERT-EU	2 years ago	Cyber security week in review: February, 10
DARKReading	a year ago	Trickbot, Conti Sanctions Affect Top Cybercrime Brass
CERT-EU	2 years ago	US, UK sanction 7 alleged members of infamous Russian Trickbot hacking gang • TechCrunch \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware - National Cyber Security
CERT-EU	a year ago	Turns out even the NFL is worried about deepfakes
CERT-EU	a year ago	US Indicts Nine Russians Behind 'Trickbot' Malware \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	a year ago	11 alleged Conti criminals hit with UK and US sanctions \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	a year ago	Russian ransomware group hit with new sanctions \| #ransomware \| #cybercrime \| National Cyber Security Consulting