From 9059a85eed4294bfaa45a30a025ab69c5b97cde3 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Sat, 11 Aug 2018 16:14:39 +0200
Subject: [PATCH] chg: [tool] KEYMARBLE malware added

ref: https://www.us-cert.gov/ncas/analysis-reports/AR18-221A
---
 clusters/tool.json | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/clusters/tool.json b/clusters/tool.json
index 0c309f8..3d3e3ce 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -2,7 +2,7 @@
   "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f",
   "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
   "source": "MISP Project",
-  "version": 82,
+  "version": 83,
   "values": [
     {
       "meta": {
@@ -4557,6 +4557,16 @@
           "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf"
         ]
       }
+    },
+    {
+      "value": "KEYMARBLE",
+      "description": "This Malware Analysis Report (MAR) is the result of analytic efforts between Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). Working with U.S. Government partners, DHS and FBI identified Trojan malware variants used by the North Korean government. This malware variant has been identified as KEYMARBLE. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity.",
+      "uuid": "f7f53bb8-37ed-4bbe-9809-ca1594431536",
+      "meta": {
+        "refs": [
+          "https://www.us-cert.gov/ncas/analysis-reports/AR18-221A"
+        ]
+      }
     }
   ],
   "authors": [