From a9a71ef84c6c1723b3a7cfc728b8db86eea830e6 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Fri, 3 Aug 2018 15:58:54 +0200
Subject: [PATCH 1/3] more clusters

---
 clusters/rat.json          |  5 +++--
 clusters/threat-actor.json | 27 ++++++++++++++++++++++++---
 clusters/tool.json         |  5 +++--
 3 files changed, 30 insertions(+), 7 deletions(-)

diff --git a/clusters/rat.json b/clusters/rat.json
index a953b8b..8449c24 100644
--- a/clusters/rat.json
+++ b/clusters/rat.json
@@ -2,7 +2,7 @@
   "uuid": "312f8714-45cb-11e7-b898-135207cdceb9",
   "description": "remote administration tool or remote access tool (RAT), also called sometimes remote access trojan, is a piece of software or programming that allows a remote \"operator\" to control a system as if they have physical access to that system.",
   "source": "MISP Project",
-  "version": 11,
+  "version": 12,
   "values": [
     {
       "meta": {
@@ -548,7 +548,8 @@
       "meta": {
         "date": "2014",
         "refs": [
-          "https://github.com/quasar/QuasarRAT"
+          "https://github.com/quasar/QuasarRAT",
+          "https://researchcenter.paloaltonetworks.com/2017/10/unit42-tracking-subaat-targeted-phishing-attacks-point-leader-threat-actors-repository/"
         ]
       },
       "uuid": "6efa425c-3731-44fd-9224-2a62df061a2d",
diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index a006590..65e2ee0 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -3748,8 +3748,29 @@
           "https://research.checkpoint.com/apt-attack-middle-east-big-bang/",
           "https://blog.talosintelligence.com/2017/06/palestine-delphi.html"
         ]
-      }
-    }
+      },
+      "uuid": "a6fdd972-971a-11e8-bf58-9b08a198e9a3"
+    },
+    {
+      "value": "Subaat",
+      "description": "In mid-July, Palo Alto Networks Unit 42 identified a small targeted phishing campaign aimed at a government organization. While tracking the activities of this campaign, we identified a repository of additional malware, including a web server that was used to host the payloads used for both this attack as well as others.",
+      "meta": {
+        "refs": [
+          "https://researchcenter.paloaltonetworks.com/2017/10/unit42-tracking-subaat-targeted-phishing-attacks-point-leader-threat-actors-repository/"
+        ]
+      },
+      "uuid": "a7bc4ef2-971a-11e8-9bf0-13aa7d6d8651"
+    },
+    {
+      "value": "Gorgon Group",
+      "description": "Unit 42 researchers have been tracking Subaat, an attacker, since 2017. Recently Subaat drew our attention due to renewed targeted attack activity. Part of monitoring Subaat included realizing the actor was possibly part of a larger crew of individuals responsible for carrying out targeted attacks against worldwide governmental organizations. Technical analysis on some of the attacks as well as attribution links with Pakistan actors have been already depicted by 360 and Tuisec, in which they found interesting connections to a larger group of attackers Unit 42 researchers have been tracking, which we are calling Gorgon Group.",
+      "meta": {
+        "refs": [
+          "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/"
+        ]
+      },
+      "uuid": "a80b042a-971a-11e8-8df0-1f40df1bf6e9"
+    },
   ],
   "name": "Threat actor",
   "type": "threat-actor",
@@ -3763,5 +3784,5 @@
   ],
   "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.",
   "uuid": "7cdff317-a673-4474-84ec-4f1754947823",
-  "version": 46
+  "version": 47
 }
diff --git a/clusters/tool.json b/clusters/tool.json
index ed10eea..f0f9226 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -2,7 +2,7 @@
   "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f",
   "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
   "source": "MISP Project",
-  "version": 78,
+  "version": 79,
   "values": [
     {
       "meta": {
@@ -2847,7 +2847,8 @@
     {
       "meta": {
         "refs": [
-          "https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html"
+          "https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html",
+          "https://researchcenter.paloaltonetworks.com/2017/10/unit42-tracking-subaat-targeted-phishing-attacks-point-leader-threat-actors-repository/"
         ]
       },
       "description": "QUASARRAT is an open-source RAT available at https://github.com/quasar/QuasarRat . The versions used by APT10 (1.3.4.0, 2.0.0.0, and 2.0.0.1) are not available via the public GitHub page, indicating that APT10 has further customized the open source version. The 2.0 versions require a dropper to decipher and launch the AES encrypted QUASARRAT payload. QUASARRAT is a fully functional .NET backdoor that has been used by multiple cyber espionage groups in the past.",

From 35aa8ba34e9873a105d57a2733cac0dbbcbe7393 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Fri, 3 Aug 2018 16:08:43 +0200
Subject: [PATCH 2/3] delete duplicate gorgon group

---
 clusters/threat-actor.json | 12 +-----------
 1 file changed, 1 insertion(+), 11 deletions(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 65e2ee0..5d74969 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -3760,17 +3760,7 @@
         ]
       },
       "uuid": "a7bc4ef2-971a-11e8-9bf0-13aa7d6d8651"
-    },
-    {
-      "value": "Gorgon Group",
-      "description": "Unit 42 researchers have been tracking Subaat, an attacker, since 2017. Recently Subaat drew our attention due to renewed targeted attack activity. Part of monitoring Subaat included realizing the actor was possibly part of a larger crew of individuals responsible for carrying out targeted attacks against worldwide governmental organizations. Technical analysis on some of the attacks as well as attribution links with Pakistan actors have been already depicted by 360 and Tuisec, in which they found interesting connections to a larger group of attackers Unit 42 researchers have been tracking, which we are calling Gorgon Group.",
-      "meta": {
-        "refs": [
-          "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/"
-        ]
-      },
-      "uuid": "a80b042a-971a-11e8-8df0-1f40df1bf6e9"
-    },
+    }
   ],
   "name": "Threat actor",
   "type": "threat-actor",

From b7de06ffccea90f59483ffec7e090f8de3afdde3 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Mon, 6 Aug 2018 08:49:44 +0200
Subject: [PATCH 3/3] delete forgotten conflict marker

---
 clusters/threat-actor.json | 1 -
 1 file changed, 1 deletion(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 3200c3f..fce5663 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -3765,7 +3765,6 @@
           "https://research.checkpoint.com/apt-attack-middle-east-big-bang/",
           "https://blog.talosintelligence.com/2017/06/palestine-delphi.html"
         ]
-<<<<<<< HEAD
       }
     },
     {