From 14444e4321fa0bc91d9857ee466cb7f215794583 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Thu, 8 Nov 2018 10:39:32 +0100
Subject: [PATCH] add several tools and refs

---
 clusters/rat.json          |  8 +++++---
 clusters/threat-actor.json |  8 +++++---
 clusters/tool.json         | 23 ++++++++++++++++++++---
 3 files changed, 30 insertions(+), 9 deletions(-)

diff --git a/clusters/rat.json b/clusters/rat.json
index 1612b6e..a69212b 100644
--- a/clusters/rat.json
+++ b/clusters/rat.json
@@ -286,7 +286,8 @@
         "refs": [
           "https://securelist.com/securelist/files/2016/02/KL_AdwindPublicReport_2016.pdf",
           "https://www.f-secure.com/v-descs/backdoor_java_adwind.shtml",
-          "https://blog.fortinet.com/2016/08/16/jbifrost-yet-another-incarnation-of-the-adwind-rat"
+          "https://blog.fortinet.com/2016/08/16/jbifrost-yet-another-incarnation-of-the-adwind-rat",
+          "https://www.ncsc.gov.uk/content/files/protected_files/article_files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf"
         ],
         "synonyms": [
           "UNRECOM",
@@ -724,7 +725,8 @@
         "date": "2014",
         "refs": [
           "https://github.com/quasar/QuasarRAT",
-          "https://researchcenter.paloaltonetworks.com/2017/10/unit42-tracking-subaat-targeted-phishing-attacks-point-leader-threat-actors-repository/"
+          "https://researchcenter.paloaltonetworks.com/2017/10/unit42-tracking-subaat-targeted-phishing-attacks-point-leader-threat-actors-repository/",
+          "https://www.ncsc.gov.uk/content/files/protected_files/article_files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf"
         ]
       },
       "related": [
@@ -3278,5 +3280,5 @@
       "value": "NukeSped"
     }
   ],
-  "version": 20
+  "version": 21
 }
diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 9574a5c..4c78add 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -105,7 +105,8 @@
           "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks",
           "http://www.isightpartners.com/2015/02/codoso/#sthash.VJMDVPQB.dpuf",
           "http://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/",
-          "https://www.nytimes.com/2016/06/12/technology/the-chinese-hackers-in-the-back-office.html"
+          "https://www.nytimes.com/2016/06/12/technology/the-chinese-hackers-in-the-back-office.html",
+          "https://www.ncsc.gov.uk/content/files/protected_files/article_files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf"
         ],
         "synonyms": [
           "C0d0so",
@@ -995,7 +996,8 @@
         "country": "CN",
         "refs": [
           "http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/",
-          "https://www.cfr.org/interactive/cyber-operations/apt-10"
+          "https://www.cfr.org/interactive/cyber-operations/apt-10",
+          "https://www.ncsc.gov.uk/content/files/protected_files/article_files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf"
         ],
         "synonyms": [
           "APT10",
@@ -5999,5 +6001,5 @@
       "value": "EvilTraffic"
     }
   ],
-  "version": 76
+  "version": 77
 }
diff --git a/clusters/tool.json b/clusters/tool.json
index ed2b83b..4a2b1fb 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -677,7 +677,8 @@
       "meta": {
         "refs": [
           "https://github.com/gentilkiwi/mimikatz",
-          "https://researchcenter.paloaltonetworks.com/2017/07/unit42-twoface-webshell-persistent-access-point-lateral-movement/"
+          "https://researchcenter.paloaltonetworks.com/2017/07/unit42-twoface-webshell-persistent-access-point-lateral-movement/",
+          "https://www.ncsc.gov.uk/content/files/protected_files/article_files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf"
         ],
         "synonyms": [
           "Mikatz"
@@ -2049,9 +2050,15 @@
       "value": "Hoardy"
     },
     {
+      "description": "HUC Packet Transmitter (HTran) is a proxy tool, used to intercept and redirect Transmission Control Protocol (TCP) connections from the local host to a remote host. This makes it possible to obfuscate an attacker's communications with victim networks. The tool has been freely available on the internet since at least 2009.\nHTran facilitates TCP connections between the victim and a hop point controlled by an attacker. Malicious cyber actors can use this technique to redirect their packets through multiple compromised hosts running HTran, to gain greater access to hosts in a network",
       "meta": {
         "refs": [
-          "http://www.secureworks.com/research/threats/htran/"
+          "http://www.secureworks.com/research/threats/htran/",
+          "https://www.ncsc.gov.uk/content/files/protected_files/article_files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf"
+        ],
+        "synonyms": [
+          "HUC Packet Transmitter",
+          "HTran"
         ]
       },
       "uuid": "f3bfe513-2a65-49b5-9d64-a66541dce697",
@@ -7384,7 +7391,17 @@
       },
       "uuid": "9972d4c4-d6c6-11e8-867e-87b4a45aa76d",
       "value": "August"
+    },
+    {
+      "description": "China Chopper is a publicly available, well-documented web shell, in widespread use since 2012.",
+      "meta": {
+        "refs": [
+          "https://www.ncsc.gov.uk/content/files/protected_files/article_files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf"
+        ]
+      },
+      "uuid": "1ac4a966-0c74-46d5-b7e1-a40f4c681bc8",
+      "value": "China Chopper"
     }
   ],
-  "version": 98
+  "version": 99
 }