From 32d90a27e17b9dcddaf1827cdae9f83697da6612 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Mon, 22 Oct 2018 14:46:44 +0200
Subject: [PATCH 1/4] add GhostMiner

---
 clusters/tool.json | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/clusters/tool.json b/clusters/tool.json
index a26a738..da07a7d 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -7361,7 +7361,17 @@
       },
       "uuid": "d93894ee-d5d7-11e8-b360-572c0c441c8f",
       "value": "NAMEDPIPETOUCH"
+    },
+    {
+      "description": "GhostMiner is a new cryptocurrency mining malware. By the end of March 2018, a new variant of mining malware was detected targeting MSSQL, phpMyAdmin, and Oracle WebLogic servers. The sample uses Powershell to execute code with volatile resources and scans the server's processes to detect and stop other miners that might have been running prior to execution.\nThe fileless malware has become more popular in the last years. The malicious code runs directly in main memory without writing any file on disk, where an antivirus engine could detect it.",
+      "meta": {
+        "refs": [
+          "https://www.alienvault.com/forums/discussion/17301/alienvault-labs-threat-intelligence-update-for-usm-anywhere-march-25-march-31-2018"
+        ]
+      },
+      "uuid": "0a339826-d5f8-11e8-b520-5b93fe65a08e",
+      "value": "GhostMiner"
     }
   ],
-  "version": 96
+  "version": 97
 }

From 4a54044de6cebff97ab94f634db3e3f71a3df887 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Mon, 22 Oct 2018 14:50:57 +0200
Subject: [PATCH 2/4] add NukeSped reference

---
 clusters/rat.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/clusters/rat.json b/clusters/rat.json
index 1612b6e..d2be89b 100644
--- a/clusters/rat.json
+++ b/clusters/rat.json
@@ -3271,6 +3271,7 @@
           "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win64/NukeSped!bit&ThreatID=-2147238152",
           "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/NukeSped",
           "https://malwarefixes.com/threats/win32nukesped/",
+          "https://www.alienvault.com/forums/discussion/17301/alienvault-labs-threat-intelligence-update-for-usm-anywhere-march-25-march-31-2018",
           "https://www.alienvault.com/forums/discussion/17301/alienvault-labs-threat-intelligence-update-for-usm-anywhere-march-25-march-31-2018"
         ]
       },

From af6020077e91fbf200c6b5705c6f7b7baa071486 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Tue, 23 Oct 2018 15:25:37 +0200
Subject: [PATCH 3/4] add August Stealer

---
 clusters/threat-actor.json |  7 +++++--
 clusters/tool.json         | 15 ++++++++++++++-
 2 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 229f8ff..2534fbf 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -3188,7 +3188,10 @@
     {
       "description": "TA530, who we previously examined in relation to large-scale personalized phishing campaigns",
       "meta": {
-        "country": "CN"
+        "country": "CN",
+        "refs": [
+          "https://www.proofpoint.com/uk/threat-insight/post/august-in-december-new-information-stealer-hits-the-scene"
+        ]
       },
       "uuid": "4b79d1f6-8333-44b6-ac32-d1ea7e47e77f",
       "value": "TA530"
@@ -5982,5 +5985,5 @@
       "value": "The Shadow Brokers"
     }
   ],
-  "version": 74
+  "version": 75
 }
diff --git a/clusters/tool.json b/clusters/tool.json
index da07a7d..ed2b83b 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -7371,7 +7371,20 @@
       },
       "uuid": "0a339826-d5f8-11e8-b520-5b93fe65a08e",
       "value": "GhostMiner"
+    },
+    {
+      "description": "August contains stealing functionality targeting credentials and sensitive documents from the infected computer.",
+      "meta": {
+        "refs": [
+          "https://www.proofpoint.com/uk/threat-insight/post/august-in-december-new-information-stealer-hits-the-scene"
+        ],
+        "synonyms": [
+          "August Stealer"
+        ]
+      },
+      "uuid": "9972d4c4-d6c6-11e8-867e-87b4a45aa76d",
+      "value": "August"
     }
   ],
-  "version": 97
+  "version": 98
 }

From 6e8abc0712557c1313c3025a618ee883ceba7277 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Tue, 23 Oct 2018 15:37:51 +0200
Subject: [PATCH 4/4] fix duplicate ref

---
 clusters/rat.json | 1 -
 1 file changed, 1 deletion(-)

diff --git a/clusters/rat.json b/clusters/rat.json
index d2be89b..1612b6e 100644
--- a/clusters/rat.json
+++ b/clusters/rat.json
@@ -3271,7 +3271,6 @@
           "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win64/NukeSped!bit&ThreatID=-2147238152",
           "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/NukeSped",
           "https://malwarefixes.com/threats/win32nukesped/",
-          "https://www.alienvault.com/forums/discussion/17301/alienvault-labs-threat-intelligence-update-for-usm-anywhere-march-25-march-31-2018",
           "https://www.alienvault.com/forums/discussion/17301/alienvault-labs-threat-intelligence-update-for-usm-anywhere-march-25-march-31-2018"
         ]
       },