From 6eb594a6b019739eaa3a0dcaaabd9ae853e5c9fb Mon Sep 17 00:00:00 2001
From: Daniel Plohmann <daniel.plohmann@mailbox.org>
Date: Fri, 16 Apr 2021 15:12:45 +0200
Subject: [PATCH] adding Yanbian Gang as threat actor

---
 clusters/threat-actor.json | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 8d15715..4fc9c70 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -8535,7 +8535,25 @@
       },
       "uuid": "749aaa11-f0fd-416b-bf6c-112f9b5930a5",
       "value": "Ghostwriter"
+    },
+    {
+      "description": "RiskIQ characterizes the Yanbian Gang as a group that targeted South Korean Android mobile banking customers since 2013 with malicious Android apps purporting to be from major banks, namely Shinhan Savings Bank, Saemaul Geumgo, Shinhan Finance, KB Kookmin Bank, and NH Savings Bank.",
+      "meta": {
+        "cfr-suspected-victims": [
+          "South Korea",
+          "Japan"
+        ],
+        "refs": [
+          "https://www.riskiq.com/blog/external-threat-management/yanbian-gang-malware-distribution/",
+          "https://www.trendmicro.com/en_us/research/18/k/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang.html",
+          "https://www.trendmicro.com/en_us/research/18/d/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing.html",
+          "https://www.trendmicro.com/en_us/research/18/f/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users.html",
+          "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-malware-gang-steals-millions-from-south-korean-users/"
+        ]
+      },
+      "uuid": "eaeae8e9-cc4b-4be8-82fd-8edc65ff9a5e",
+      "value": "Yanbian Gang"
     }
   ],
-  "version": 200
+  "version": 201
 }