From 7ede54c76c91edd4b1656b2e601b9b7771ffac23 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Fri, 13 Jan 2017 08:18:41 +0100
Subject: [PATCH 1/3] "the shoemaker's son always goes barefoot" Regin added

---
 clusters/tool.json | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/clusters/tool.json b/clusters/tool.json
index 6988a9c..8a9858b 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -359,7 +359,12 @@
       "value": "FireMalv"
     },
     {
-      "value": "Regin"
+      "value": "Regin",
+      "description": "Regin (also known as Prax or WarriorPride) is a sophisticated malware toolkit revealed by Kaspersky Lab, Symantec, and The Intercept in November 2014. The malware targets specific users of Microsoft Windows-based computers and has been linked to the US intelligence gathering agency NSA and its British counterpart, the GCHQ. The Intercept provided samples of Regin for download including malware discovered at Belgian telecommunications provider, Belgacom. Kaspersky Lab says it first became aware of Regin in spring 2012, but that some of the earliest samples date from 2003. The name Regin is first found on the VirusTotal website on 9 March 2011.",
+      "meta": {
+           "refs": ["https://en.wikipedia.org/wiki/Regin_(malware)"],
+           "synonyms": ["Prax","WarriorPride"]
+       }
     },
     {
       "value": "Duqu"
@@ -1156,7 +1161,7 @@
        "value": "Shamoon"
     }
   ],
-  "version": 12,
+  "version": 13,
   "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f",
   "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
   "author": [

From 19406277d4b83370163a36b65f2d860a49f0d813 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Fri, 13 Jan 2017 08:23:03 +0100
Subject: [PATCH 2/3] Equation Group added

---
 clusters/threat-actor.json | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 5535776..0caf168 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -1350,6 +1350,14 @@
         ],
         "motive": "Hacktivists-Nationalists"
       }
+    },
+    {
+      "value": "Equation Group",
+      "description": "The Equation Group is a highly sophisticated threat actor described by its discoverers at Kaspersky Labs as one of the most sophisticated cyber attack groups in the world, operating alongside but always from a position of superiority with the creators of Stuxnet and Flame",
+      "meta": {
+        "country": "US",
+        "refs": ["https://en.wikipedia.org/wiki/Equation_Group"]
+      }
     }
   ],
   "name": "Threat actor",
@@ -1364,5 +1372,5 @@
   ],
   "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.",
   "uuid": "7cdff317-a673-4474-84ec-4f1754947823",
-  "version": 11
+  "version": 12
 }

From edea2d25ee8a9ad40141a14ccc05e64ad5225b91 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?D=C3=A9borah=20Servili?=
 <Delta-Sierra@users.noreply.github.com>
Date: Mon, 16 Jan 2017 12:08:20 +0100
Subject: [PATCH 3/3] add APT28's tools

---
 clusters/tool.json | 79 ++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 76 insertions(+), 3 deletions(-)

diff --git a/clusters/tool.json b/clusters/tool.json
index 8a9858b..1d4a41b 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -303,13 +303,86 @@
       "value": "CORESHELL"
     },
     {
-      "value": "CHOPSTICK"
+      "value": "CHOPSTICK",
+      "description": "backdoor",
+      "meta": {
+        "synonyms": [
+          "Xagent",
+          "webhp",
+          "SPLM",
+          "(.v2 fysbis)"
+        ],
+        "refs": [
+          "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf"
+        ]
+      }
     },
     {
-      "value": "SOURFACE"
+      "value": "EVILTOSS",
+      "description": "backdoor",
+      "meta": {
+        "synonyms": [
+          "Sedreco",
+          "AZZY",
+          "Xagent",
+          "ADVSTORESHELL",
+          "NETUI"
+        ],
+        "refs": [
+          "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf"
+        ]
+      }
     },
     {
-      "value": "OLDBAIT"
+      "value": "GAMEFISH",
+      "description": "backdoor",
+      "meta": {
+        "synonyms": [
+          "Sednit",
+          "Seduploader",
+          "JHUHUGIT",
+          "Sofacy"
+        ],
+        "refs": [
+          "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf"
+        ]
+      }
+    },
+    {
+      "value": "SOURFACE",
+      "description": "downloader - Older version of CORESHELL",
+      "meta": {
+        "synonyms": [
+          "Sofacy"
+        ],
+        "refs": [
+          "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf"
+        ]
+      }
+    },
+    {
+      "value": "OLDBAIT",
+      "description": "credential harvester",
+      "meta": {
+        "synonyms": [
+          "Sasfis"
+        ],
+        "refs": [
+          "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf"
+        ]
+      }
+    },
+    {
+      "value": "CORESHELL",
+      "description": "downloader - Newer version of SOURFACE",
+      "meta": {
+        "synonyms": [
+          "Sofacy"
+        ],
+        "refs": [
+          "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf"
+        ]
+      }
     },
     {
       "value": "Havex RAT",