Trickbot Group

Threat Actor updated 8 days ago (2024-11-29T14:53:28.252Z)
Download STIX
Preview STIX
The Trickbot Group, also known as ITG23, Wizard Spider, or DEV-0193, is a cybercriminal entity notorious for its malicious activities. This threat actor group has been linked to Russian intelligence services and primarily targets non-Russian entities, including financial institutions and hospitals, with ransomware campaigns. The group's operations were disrupted in the fall of 2020 through joint efforts by Cyber Command and Microsoft. However, Emotet, another cybercrime group, quickly moved to assist Trickbot's recovery by downloading Trickbot malware onto infected machines. The Trickbot Group has been under constant analysis by IBM Security X-Force researchers who have noted the group's use of several crypters. These crypters are developed by the group itself and are used to evade security product detection by abusing the trust of certificate authorities. The group uses signed loaders and malware, which are identified by a statically defined "gtag" that beacons to its Command & Control (C2) infrastructure. Notably, the group has replaced the BazarLoader backdoor with its own malware to gain initial access to a victim's infrastructure during ransomware attacks. Key members of the Trickbot Group include Sergey Loguntsov and Artem Kurov, who worked as developers, Vadym Valiakhmetov, a coder known by the online monikers Weldon, Mentos, and Vasm, and Maksim Rudenskiy, a team lead for coders. Additionally, Vladimir Dunaev, from Amur Oblast in the far east of Russia, was identified as an integral member of the criminal group. The U.S. Department of the Treasury and the U.S. Department of Justice have taken actions against these individuals, including sanctions and legal proceedings, for their involvement in the group's operations.
Description last updated: 2024-10-22T17:43:03.572Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Wizard Spider is a possible alias for Trickbot Group. Wizard Spider, also known as ITG23, DEV-0193, Trickbot Group, Fin12, and Grimspider, is a prominent cybercrime group. As per IBM Security X-Force's research, this threat actor is responsible for developing several crypters and has been expanding the number and variety of channels it uses to distribu
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Malware
Russia
Trojan
Fraud
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The TrickBot Malware is associated with Trickbot Group. TrickBot is a notorious malware developed by cybercriminals to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. This malicious software can steal personal information, disrupt operations, or even hold data hostage for ransom. Vladimir Dunaev,Unspecified
10
The Dyre Malware is associated with Trickbot Group. Dyre, also known as Dyreza or Dyzap, is a banking Trojan that was initially designed to monitor online banking transactions with the aim of stealing passwords, money, or both. It first emerged in 2009 and 2010, targeting victim bank accounts held at various U.S.-based financial institutions. These iUnspecified
2
Source Document References
Information about the Trickbot Group Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securityaffairs
a month ago
Securityaffairs
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
SecurityIntelligence.com
a year ago
CERT-EU
2 years ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
Trend Micro
a year ago
CERT-EU
2 years ago
DARKReading
a year ago
CERT-EU
2 years ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago