From 6eb594a6b019739eaa3a0dcaaabd9ae853e5c9fb Mon Sep 17 00:00:00 2001 From: Daniel Plohmann Date: Fri, 16 Apr 2021 15:12:45 +0200 Subject: [PATCH 1/3] adding Yanbian Gang as threat actor --- clusters/threat-actor.json | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 8d15715..4fc9c70 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -8535,7 +8535,25 @@ }, "uuid": "749aaa11-f0fd-416b-bf6c-112f9b5930a5", "value": "Ghostwriter" + }, + { + "description": "RiskIQ characterizes the Yanbian Gang as a group that targeted South Korean Android mobile banking customers since 2013 with malicious Android apps purporting to be from major banks, namely Shinhan Savings Bank, Saemaul Geumgo, Shinhan Finance, KB Kookmin Bank, and NH Savings Bank.", + "meta": { + "cfr-suspected-victims": [ + "South Korea", + "Japan" + ], + "refs": [ + "https://www.riskiq.com/blog/external-threat-management/yanbian-gang-malware-distribution/", + "https://www.trendmicro.com/en_us/research/18/k/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang.html", + "https://www.trendmicro.com/en_us/research/18/d/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing.html", + "https://www.trendmicro.com/en_us/research/18/f/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users.html", + "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-malware-gang-steals-millions-from-south-korean-users/" + ] + }, + "uuid": "eaeae8e9-cc4b-4be8-82fd-8edc65ff9a5e", + "value": "Yanbian Gang" } ], - "version": 200 + "version": 201 } From e7061f90d90e8d4bfdaba461a814c92ed3506b74 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 19 Apr 2021 15:08:06 +0200 Subject: [PATCH 2/3] chg: [ransomware] remove duplicate "File-Locker" --- clusters/ransomware.json | 5 ----- 1 file changed, 5 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 5db8ca2..5c67f52 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -15906,11 +15906,6 @@ "uuid": "35c968af-cee9-40bf-9d62-b8ba5d6dbc8f", "value": "FileFuck" }, - { - "description": "ransomware", - "uuid": "bf09fca0-30ad-4c2c-a3cd-5486382e8e2c", - "value": "File-Locker" - }, { "description": "ransomware", "uuid": "39a197ff-be4b-45a7-bdc8-fc17af421d63", From 28f6475cc5744c0232c190e809b6151b27a031c3 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 19 Apr 2021 15:13:18 +0200 Subject: [PATCH 3/3] chg: [ransomware] first duplicate removed --- clusters/ransomware.json | 5 ----- 1 file changed, 5 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 5c67f52..c9957c7 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -15921,11 +15921,6 @@ "uuid": "02c5bf92-23e8-404c-9fe9-5e50f587d0c4", "value": "FindZip" }, - { - "description": "ransomware", - "uuid": "ba21bae0-8af7-492d-84b7-e424b99b5d4a", - "value": "First" - }, { "description": "ransomware", "uuid": "b9f1d220-2ef0-4b1d-84ed-ae6843e5828e",