New Evidence Proves Ongoing WIZARD SPIDER / LUNAR SPIDER Collaboration

On March 17, 2019, CrowdStrike® Intelligence observed the use of a new BokBot (developed and operated by LUNAR SPIDER) proxy module in conjunction with TrickBot (developed and operated by WIZARD SPIDER), which may provide WIZARD SPIDER with additional tools to steal sensitive information and conduct fraudulent wire transfers. This activity also provides further evidence to support the existence of a flourishing relationship between these two actors. WIZARD SPIDER’s TrickBot banking malware began distributing a new proxy module named shadDll to group tags (gtags) prefixed with sin and tin. These gtags have previously been associated with LUNAR SPIDER’s BokBot (a.k.a. IcedID) malware, which was discussed in a previous blog. The module contains identical functionality to that of the BokBot proxy module. The new proxy module incorporates many of the most potent BokBot features within the extensible, modular framework of the TrickBot malware. Binary code analysis revealed that the shadDll TrickBot module is 81 percent similar to the BokBot proxy module with 99 percent confidence.

Man-in-the-Middle Attacks

This new TrickBot module, shadDll,

 

is primarily responsible for performing man-in-the-middle (MITM) attacks against web browsers on infected hosts, achieved by hooking networking functions and installing illegitimate SSL certificates. Once the malware is able to intercept SSL traffic, it can use the various BokBot configuration entries to strategically redirect web traffic, inject code, take screenshots, and otherwise manipulate victims’ browsing experience.
The shadDll module contains typical characteristics of a TrickBot module. More explicitly, the modules are dynamic link libraries (DLLs), they contain no TrickBot encrypted strings, and they have the standard TrickBot exports of Start, Control

 

and
Release. Although the shadDll module contains no TrickBot-encrypted strings, it does contain strings obfuscated using the custom XOR encoding used in the BokBot proxy module.

Hard-Coded DN Values

Of particular interest is the following hard-coded distinguished name (DN) values, which are identical to the ones found within the illegitimate certificates that the BokBot proxy module uses for performing MITM attacks. C=US; O=VeriSign, Inc.; OU=VeriSign Trust Network; OU=(c) 2006 VeriSign, Inc. - For authorized use only; CN=VeriSign Class 3 Public Primary Certification Authority

 

- G5

Further Solidification of Two eCrime Groups

This development between WIZARD SPIDER and LUNAR SPIDER further solidifies the connection between the two groups, which stretches back to the Dyre (a.k.a. Dyreza) and Neverquest era. CrowdStrike Intelligence will continue to monitor this intriguing working relationship and mutual integration. A detailed analysis of the BokBot proxy module that is now being distributed by TrickBot is presented in this follow-up blog post.
Indicators of Compromise (IOCs)
Module NameSHA256 Hash
shadDll32dfea3d7607e72d4dff86be0ba30ec0620dc54d5d2a50799bbefe1e495e9accdd
shadDll642b5c064e269247be0dc1a4a20a7968206c9b82219daab7b10994f52770f68661

Additional Resources

 

Breaches Stop Here