ThreatConnect Research Roundup: Wizard Spider / UNC1878 / Ryuk Campaign

Howdy, and welcome to the ThreatConnect Research Roundup, a collection of recent findings by our Research Team and items from open source publications that have resulted in Observations of related indicators across ThreatConnect’s CAL™ (Collective Analytics Layer).

Note: Viewing the pages linked in this blog post requires a ThreatConnect account.

Roundup Highlight: Wizard Spider / UNC1878 / Ryuk Campaign

Late 2020 Wizard Spider / UNC1878 / Ryuk Campaign ThreatConnect Common Community

In this Roundup, we highlight the Late 2020 Wizard Spider / UNC1878 / Ryuk Campaign.

In late September 2020, the criminal threat group known as Wizard Spider / UNC1878 / Ryuk resumed operations using Trickbot, Cobalt Strike, BazarLoader / Kegtap, and Ryuk ransomware. News reports indicate that some of the operations in this campaign have targeted US hospital networks and an Italian IT services company.

Several consistencies have been identified in sets of infrastructure registered as part of this campaign. Those non-definitive consistencies include the following:

  • Use of SSL certificates with subject strings “C=US, ST=TX, L=Texas, O=lol, OU=,” or “C=US, ST=TX, L=Texas, O=office, OU=,”.
  • Domain Registration through MonoVM, NameCheap, and Openprovider.
  • In some cases, registration of approximately ten domains at a time through one of the above resellers.
  • Reuse of strings within domain name, including “service,” “backup,” “helper,” “idrive,” and “boost” among others.
  • Repeated use of the same ISPs, and in some cases the same /24 CIDR block, for hosting. ISPs have included Frantech Solutions, Psychz Networks, Private Layer Inc, combahton GmbH, TeraSwitch Networks Inc., LeaseWeb USA Inc., and BACloud.

Sets of identified infrastructure have been captured in incidents associated with this campaign, and the most recent updates are listed below.

  • 20201028A: Ryuk Infrastructure Registered on 10/25/20 ThreatConnect Research identified several most likely Ryuk domains registered on October 25 2020 based on consistencies with infrastructure identified in Incident 20200930A: Domains Registered Through MonoVM Used with Cobalt Strike and other recent incidents.
  • 20201029A: Ryuk Infrastructure Registered on 10/27/20 ThreatConnect Research identified a domain most likely associated with Wizard Spider / UNC1878 / Ryuk. This domain was registered through NameCheap on October 27 2020 and uses an SSL certificate with similar strings compared to previously identified Ryuk infrastructure. Update 10/30/20 Several other most likely Ryuk domains were also registered at essentially the same time through NameCheap on October 27.
  •  20201029B: Possible Ryuk Infrastructure Registered on 10/26/20 ThreatConnect Research identified two domains registered essentially at the same time on October 26 2020 that are possibly related with Wizard Spider / UNC1878 / Ryuk based on non-definitive domain string and registration similarities. These domains were registered through Openprovider and are hosted at an ISP (Frantech) recently used by other Ryuk domains. At this time we have no other information on the extent to which, if any, this infrastructure has been used maliciously. Update 10/29/20 Another possible Ryuk domain was also registered at essentially the same time as the aforementioned domains.
  • 20201029C: Ryuk Infrastructure Registered on 10/23/20 ThreatConnect Research identified domains which most likely are associated with Wizard Spider / UNC1878 / Ryuk. These domains were registered through Openprovider on October 23 2020 and use a SSL certificates with similar strings compared to previously identified Ryuk infrastructure. We also identified three other domains that were registered at a different time on October 23 through Openprovider that possibly are related to the same group.

All IOCs associated to this campaign have been included in this CSV.

ThreatConnect Research Team Intelligence: Items recently created or updated in the ThreatConnect Common Community by our Research Team.

  • 20201030A: Suspicious Domains Hosted at 45.79.219[.]211 ThreatConnect Research identified a suspicious domain which was registered through Njalla on October 28 2020. The domain is currently hosted at a Linode IP. Several other domains also currently resolve to the IP, notably two spoofing Internet Explorer updates.

Technical Blogs and Reports Incidents with Active and Observed Indicators: Incidents associated to one or more Indicators with an Active status and at least one global Observation across the ThreatConnect community. These analytics are provided by ThreatConnect’s CAL™ (Collective Analytics Layer).

To receive ThreatConnect notifications about any of the above, remember to check the “Follow Item” box on that item’s Details page.

ThreatConnect Research Team
About the Author
ThreatConnect Research Team

The ThreatConnect Research Team: is an elite group of globally-acknowledged cybersecurity experts, dedicated to tracking down existing and emerging cyber threats. We scrutinize trends, technology and socio-political motivators to develop comprehensive knowledge of the cyber landscape. Then, we share what we’ve learned so that you can protect your organization, and your team can take precise action against threats.