From faef21e15d18a65a4337631bdfdef2ca3d1ee38b Mon Sep 17 00:00:00 2001
From: jstnk9 <joselsm94@gmail.com>
Date: Fri, 13 Oct 2023 12:02:20 +0200
Subject: [PATCH] Added information related to Wizard Spider

---
 clusters/threat-actor.json | 32 +++++++++++++++++++++++++++++++-
 1 file changed, 31 insertions(+), 1 deletion(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 1700cda..0efc886 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -7225,6 +7225,34 @@
       "description": "Wizard Spider is reportedly associated with Grim Spider and Lunar Spider.\nThe WIZARD SPIDER threat group is the Russia-based operator of the TrickBot banking malware. This group represents a growing criminal enterprise of which GRIM SPIDER appears to be a subset. The LUNAR SPIDER threat group is the Eastern European-based operator and developer of the commodity banking malware called BokBot (aka IcedID), which was first observed in April 2017. The BokBot malware provides LUNAR SPIDER affiliates with a variety of capabilities to enable credential theft and wire fraud, through the use of webinjects and a malware distribution function.\nGRIM SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return. This methodology, known as “big game hunting,” signals a shift in operations for WIZARD SPIDER, a criminal enterprise of which GRIM SPIDER appears to be a cell. The WIZARD SPIDER threat group, known as the Russia-based operator of the TrickBot banking malware, had focused primarily on wire fraud in the past.",
       "meta": {
         "country": "RU",
+        "cfr-suspected-victims": [
+          "Australia",
+          "Bahamas",
+          "Canada",
+          "Costa Rica",
+          "France",
+          "Germany",
+          "India",
+          "Ireland",
+          "Italy",
+          "Japan",
+          "Mexico",
+          "New Zealand",
+          "Spain",
+          "Switzerland",
+          "Taiwan",
+          "United Kingdom",
+          "Ukraine",
+          "United States"
+        ],
+        "cfr-target-category": [
+          "Defense",
+          "Financial",
+          "Government",
+          "Healthcare",
+          "Telecommunications"
+        ],
+        "cfr-suspected-state-sponsor": "Russian Federation",
         "refs": [
           "https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/",
           "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/",
@@ -7237,7 +7265,9 @@
           "https://www.secureworks.com/research/dyre-banking-trojan",
           "https://www.secureworks.com/blog/how-cyber-adversaries-are-adapting-to-exploit-the-global-pandemic",
           "https://www.secureworks.com/blog/trickbot-modifications-target-us-mobile-users",
-          "http://www.secureworks.com/research/threat-profiles/gold-blackburn"
+          "http://www.secureworks.com/research/threat-profiles/gold-blackburn",
+          "https://strapi.eurepoc.eu/uploads/Eu_Repo_C_APT_profile_Conti_Wizard_Spider_dc2a733e18.pdf",
+          "https://www.prodaft.com/m/reports/WizardSpider_TLPWHITE_v.1.4.pdf"
         ],
         "synonyms": [
           "TEMP.MixMaster",