From 5aa8a8a8b1b8880f2b0e9150d4deff7f1829813b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=BCrgen=20L=C3=B6hel?= <juergen.loehel@inlyse.com>
Date: Mon, 10 Jan 2022 15:57:10 -0600
Subject: [PATCH] Adds Ragnatela RAT
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Jürgen Löhel <juergen.loehel@inlyse.com>
---
 clusters/rat.json | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/clusters/rat.json b/clusters/rat.json
index 4a01f58..7854de4 100644
--- a/clusters/rat.json
+++ b/clusters/rat.json
@@ -3497,7 +3497,26 @@
       },
       "uuid": "35198ca6-6f8d-49cd-be1b-65f21b2e7e00",
       "value": "DarkWatchman"
+    },
+    {
+      "description": "Malwarebytes Lab identified a new variant of the BADNEWS RAT called Ragnatela. It is being distributed via spear phishing emails to targets of interest in Pakistan. Ragnatela, which means spider web in Italian, is also the project name and panel used by Patchwork APT. Ironically, the threat actor infected themselves with their own RAT.",
+      "meta": {
+        "refs": [
+          "https://blog.malwarebytes.com/threat-intelligence/2022/01/patchwork-apt-caught-in-its-own-web/"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "e9595678-d269-469e-ae6b-75e49259de63",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "similar"
+        }
+      ],
+      "uuid": "e79cb167-6639-46a3-9646-b12535aa21b6",
+      "value": "Ragnatela"
     }
   ],
-  "version": 37
+  "version": 38
 }