From 308774755c8d5b01bfd30ea0ab868c83fdfdd715 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Sun, 3 Jun 2018 18:39:37 +0200
Subject: [PATCH] add: Iron Backdoor

---
 clusters/tool.json | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/clusters/tool.json b/clusters/tool.json
index ea299cc..877d1f1 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -2,7 +2,7 @@
   "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f",
   "name": "Tool",
   "source": "MISP Project",
-  "version": 70,
+  "version": 71,
   "values": [
     {
       "meta": {
@@ -4242,6 +4242,16 @@
       "description": "Advanced, likely state-sponsored or state-affiliated modular malware. The code of this malware overlaps with versions of the BlackEnergy malware. Targeted devices are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well as QNAP network-attached storage (NAS) systems.",
       "value": "VPNFilter",
       "uuid": "895d769e-b288-4977-a4e1-7d64eb134bf9"
+    },
+    {
+      "uuid": "1740ec4-d730-40d6-a3b8-32d5fe7f21cf",
+      "value": "Iron Backdoor",
+      "description": "Iron Backdoor uses a virtual machine detection code taken directly from HackingTeam’s Soldier implant leaked source code. Iron Backdoor is also using the DynamicCall module from HackingTeam core library. Backdoor was used to drop cryptocurrency miners.",
+      "meta": {
+        "refs": [
+          "https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/"
+        ]
+      }
     }
   ],
   "authors": [