From 632f030b28273c769d398151414099adcc908ee1 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Mon, 20 Nov 2017 12:32:35 +0100
Subject: [PATCH 1/2] update tool galaxy

---
 clusters/tool.json | 35 ++++++++++++++++++++++++++++++++++-
 1 file changed, 34 insertions(+), 1 deletion(-)

diff --git a/clusters/tool.json b/clusters/tool.json
index e569134..5c8bb36 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -10,7 +10,7 @@
   ],
   "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
   "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f",
-  "version": 36,
+  "version": 37,
   "values": [
     {
       "meta": {
@@ -3038,6 +3038,39 @@
           "https://www.us-cert.gov/ncas/alerts/TA17-318B"
         ]
       }
+    },
+    {
+      "value": "Nymaim",
+      "description": "Nymaim is a 2-year-old strain of malware most closely associated with ransomware. We have seen recent attacks spreading it using an established email marketing service provider to avoid blacklists and detection tools. But instead of ransomware, the malware is now being used to distribute banking Trojans",
+      "meta": {
+        "refs": [
+          "https://www.proofpoint.com/us/what-old-new-again-nymaim-moves-past-its-ransomware-roots-0"
+        ]
+      }
+    },
+    {
+      "value": "GootKit",
+      "description": "As was the case earlier, the bot Gootkit is written in NodeJS, and is downloaded to a victim computer via a chain of downloaders. The main purpose of the bot also remained the same – to steal banking data. The new Gootkit version, detected in September, primarily targets clients of European banks, including those in Germany, France, Italy, the Netherlands, Poland, etc.",
+      "meta": {
+        "refs": [
+          "https://securelist.com/inside-the-gootkit-cc-server/76433/",
+          "https://securityintelligence.com/gootkit-bobbing-and-weaving-to-avoid-prying-eyes/",
+          "https://securityintelligence.com/gootkit-launches-redirection-attacks-in-the-uk/",
+          "https://www.symantec.com/security_response/writeup.jsp?docid=2010-051118-0604-99"
+        ],
+        "synonyms": [
+          "Gootkit"
+        ]
+      },
+    }
+    {
+      "value": "Agent Tesla",
+      "description": "Agent Tesla is modern powerful keystroke logger. It provides monitoring your personel computer via keyboard and screenshot. Keyboard, screenshot and registered passwords are sent in log. You can receive your logs via e-mail, ftp or php(web panel). ",
+      "meta": {
+        "refs": [
+          "https://www.agenttesla.com/"
+        ]
+      }
     }
   ]
 }

From ff3cb27a3ba697b2df8ec12151e9f7a8a51f4cfd Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Mon, 20 Nov 2017 12:33:47 +0100
Subject: [PATCH 2/2] jq

---
 clusters/tool.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/clusters/tool.json b/clusters/tool.json
index 5c8bb36..ec0fad8 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -3061,8 +3061,8 @@
         "synonyms": [
           "Gootkit"
         ]
-      },
-    }
+      }
+    },
     {
       "value": "Agent Tesla",
       "description": "Agent Tesla is modern powerful keystroke logger. It provides monitoring your personel computer via keyboard and screenshot. Keyboard, screenshot and registered passwords are sent in log. You can receive your logs via e-mail, ftp or php(web panel). ",