Added information related to Wizard Spider

2024-11-22 23:07:19 +00:00 · 2023-10-13 12:02:20 +02:00 · 2023-10-13 12:02:20 +02:00 · faef21e15d
commit faef21e15d
parent 613e9feb12
1 changed files with 31 additions and 1 deletions
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@ -7225,6 +7225,34 @@
      "description": "Wizard Spider is reportedly associated with Grim Spider and Lunar Spider.\nThe WIZARD SPIDER threat group is the Russia-based operator of the TrickBot banking malware. This group represents a growing criminal enterprise of which GRIM SPIDER appears to be a subset. The LUNAR SPIDER threat group is the Eastern European-based operator and developer of the commodity banking malware called BokBot (aka IcedID), which was first observed in April 2017. The BokBot malware provides LUNAR SPIDER affiliates with a variety of capabilities to enable credential theft and wire fraud, through the use of webinjects and a malware distribution function.\nGRIM SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return. This methodology, known as “big game hunting,” signals a shift in operations for WIZARD SPIDER, a criminal enterprise of which GRIM SPIDER appears to be a cell. The WIZARD SPIDER threat group, known as the Russia-based operator of the TrickBot banking malware, had focused primarily on wire fraud in the past.",
      "meta": {
        "country": "RU",
+        "cfr-suspected-victims": [
+          "Australia",
+          "Bahamas",
+          "Canada",
+          "Costa Rica",
+          "France",
+          "Germany",
+          "India",
+          "Ireland",
+          "Italy",
+          "Japan",
+          "Mexico",
+          "New Zealand",
+          "Spain",
+          "Switzerland",
+          "Taiwan",
+          "United Kingdom",
+          "Ukraine",
+          "United States"
+        ],
+        "cfr-target-category": [
+          "Defense",
+          "Financial",
+          "Government",
+          "Healthcare",
+          "Telecommunications"
+        ],
+        "cfr-suspected-state-sponsor": "Russian Federation",
        "refs": [
          "https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/",
          "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/",
@ -7237,7 +7265,9 @@
          "https://www.secureworks.com/research/dyre-banking-trojan",
          "https://www.secureworks.com/blog/how-cyber-adversaries-are-adapting-to-exploit-the-global-pandemic",
          "https://www.secureworks.com/blog/trickbot-modifications-target-us-mobile-users",
-          "http://www.secureworks.com/research/threat-profiles/gold-blackburn"
+          "http://www.secureworks.com/research/threat-profiles/gold-blackburn",
+          "https://strapi.eurepoc.eu/uploads/Eu_Repo_C_APT_profile_Conti_Wizard_Spider_dc2a733e18.pdf",
+          "https://www.prodaft.com/m/reports/WizardSpider_TLPWHITE_v.1.4.pdf"
        ],
        "synonyms": [
          "TEMP.MixMaster",