From 5e0bd260d61038f25953da24fdd22e8a977ad1d3 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Wed, 9 May 2018 16:12:02 +0200
Subject: [PATCH 1/3] update some clusters

---
 clusters/ransomware.json   |  3 +-
 clusters/threat-actor.json | 11 ++++++--
 clusters/tool.json         | 58 ++++++++++++++++++++++++++++++++++++--
 3 files changed, 65 insertions(+), 7 deletions(-)

diff --git a/clusters/ransomware.json b/clusters/ransomware.json
index 7b266c4..616f9a4 100644
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@@ -9071,7 +9071,8 @@
       "description": "The ransomware does not use a customized desktop wallpaper to signal its presence, and the only way to discover that SynAck has infected your PC is by the ransom notes dropped on the user's desktop, named in the format: RESTORE_INFO-[id].txt. For example: RESTORE_INFO-4ABFA0EF.txt\n In addition, SynAck also appends its own extension at the end of all files it encrypted. This file extensions format is ten random alpha characters for each file. For example: test.jpg.XbMiJQiuoh. Experts believe the group behind SynAck uses RDP brute-force attacks to access remote computers and manually download and install the ransomware.",
       "meta": {
         "refs": [
-          "https://www.bleepingcomputer.com/news/security/synack-ransomware-sees-huge-spike-in-activity/"
+          "https://www.bleepingcomputer.com/news/security/synack-ransomware-sees-huge-spike-in-activity/",
+          "https://www.bleepingcomputer.com/news/security/synack-ransomware-uses-process-doppelg-nging-technique/"
         ],
         "synonyms": [
           "Syn Ack"
diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 13b3926..e1dba25 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -1167,7 +1167,11 @@
           "Unit 121",
           "Bureau 121",
           "NewRomanic Cyber Army Team",
-          "Bluenoroff"
+          "Bluenoroff",
+          "Group 77",
+          "Labyrinth Chollima",
+          "Operation Troy",
+          "Operation GhostSecret"
         ],
         "refs": [
           "https://threatpost.com/operation-blockbuster-coalition-ties-destructive-attacks-to-lazarus-group/116422/",
@@ -1176,7 +1180,8 @@
           "http://www.mcafee.com/us/resources/white-papers/wp-dissecting-operation-troy.pdf",
           "https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity",
           "https://www.us-cert.gov/ncas/alerts/TA17-318A",
-          "https://www.us-cert.gov/ncas/alerts/TA17-318B"
+          "https://www.us-cert.gov/ncas/alerts/TA17-318B",
+          "https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/"
         ]
       },
       "value": "Lazarus Group",
@@ -2689,5 +2694,5 @@
   ],
   "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.",
   "uuid": "7cdff317-a673-4474-84ec-4f1754947823",
-  "version": 39
+  "version": 40
 }
diff --git a/clusters/tool.json b/clusters/tool.json
index 2dc8725..20e2897 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -11,7 +11,7 @@
   ],
   "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
   "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f",
-  "version": 68,
+  "version": 69,
   "values": [
     {
       "meta": {
@@ -1541,7 +1541,8 @@
     {
       "meta": {
         "refs": [
-          "https://en.wikipedia.org/wiki/Necurs_botnet"
+          "https://en.wikipedia.org/wiki/Necurs_botnet",
+          "https://www.bleepingcomputer.com/news/security/worlds-largest-spam-botnet-finds-a-new-way-to-avoid-detection-for-now/"
         ]
       },
       "description": "The Necurs botnet is a distributor of many pieces of malware, most notably Locky.",
@@ -3467,7 +3468,8 @@
       "meta": {
         "refs": [
           "https://www.bleepingcomputer.com/news/security/quant-loader-is-now-bundled-with-other-crappy-malware/",
-          "https://blogs.forcepoint.com/security-labs/locky-distributor-uses-newly-released-quant-loader-sold-russian-underground"
+          "https://blogs.forcepoint.com/security-labs/locky-distributor-uses-newly-released-quant-loader-sold-russian-underground",
+          "https://www.bleepingcomputer.com/news/security/worlds-largest-spam-botnet-finds-a-new-way-to-avoid-detection-for-now/"
         ]
       },
       "uuid": "2d1aadfb-03c1-4580-b6ac-f12c6941067d"
@@ -4172,6 +4174,56 @@
         ]
       },
       "uuid": "d83ec444-535c-11e8-ae83-831d0a85d77a"
+    },
+    {
+      "value": "Huigezi malware",
+      "description": "backdoor trojan popular found prevalently in China",
+      "meta": {
+        "refs": [
+          "https://www.bleepingcomputer.com/news/gaming/chinese-police-arrest-15-people-who-hid-malware-inside-pubg-cheat-apps/"
+        ]
+      },
+      "uuid": "6aef5a32-5381-11e8-ac5a-bb46d8986552"
+    },
+    {
+      "value": "FacexWorm",
+      "description": "Facebook, Chrome, and cryptocurrency users should be on the lookout for a new malware strain named FacexWorm that infects victims for the purpose of stealing passwords, stealing cryptocurrency funds, running cryptojacking scripts, and spamming Facebook users. This new strain was spotted in late April by Trend Micro researchers and appears to be related to two other Facebook Messenger spam campaigns, one that took place last August, and another one from December 2017, the latter spreading the Digmine malware. Researchers say FacexWorm's modus operandi is similar to the previous two campaigns, but with the addition of new techniques aimed at cryptocurrency users.",
+      "meta": {
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/facexworm-spreads-via-facebook-messenger-malicious-chrome-extension/"
+        ]
+      },
+      "uuid": "86ac8c80-5382-11e8-b893-4f1651951472"
+    },
+    {
+      "value": "Bankshot",
+      "description": "implant used in Operation GhostSecret",
+      "meta": {
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/"
+        ]
+      },
+      "uuid": "d9431c02-5391-11e8-931f-4beceb8bd697"
+    },
+    {
+      "value": "Proxysvc",
+      "description": "downloader used in Operation GhostSecret",
+      "meta": {
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/"
+        ]
+      },
+      "uuid": "dafba168-5391-11e8-87e4-0f93b75d6ac0"
+    },
+    {
+      "value": "Escad",
+      "description": "backdoor used in Operation GhostSecret",
+      "meta": {
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/"
+        ]
+      },
+      "uuid": "db36cf9a-5391-11e8-b53a-97adedf48055"
     }
   ]
 }

From 5b22aa7225e0ff1ff40bbbe9e63efee9767d0c59 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Mon, 14 May 2018 12:00:22 +0200
Subject: [PATCH 2/3] add Mettle botnet

---
 clusters/botnet.json | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/clusters/botnet.json b/clusters/botnet.json
index 16c7e5c..ade984d 100644
--- a/clusters/botnet.json
+++ b/clusters/botnet.json
@@ -566,6 +566,16 @@
         ]
       },
       "uuid": "cdf1148c-5358-11e8-87e5-ab60d455597f"
+    },
+    {
+      "value": "Mettle",
+      "description": "Command-and-control panel and the scanner of this botnet is hosted on a server residing in Vietnam. Attackers have been utilizing an open-sourced Mettle attack module to implant malware on vulnerable routers.",
+      "meta": {
+        "refs": [
+          "https://thehackernews.com/2018/05/botnet-malware-hacking.html"
+        ]
+      },
+      "uuid": "77a308b6-575d-11e8-89a9-3f6a2a9c08bb"
     }
   ],
   "name": "Botnet",
@@ -576,5 +586,5 @@
   ],
   "description": "botnet galaxy",
   "uuid": "a91732f4-164a-11e8-924a-ffd4097eb03f",
-  "version": 4
+  "version": 5
 }

From 3d5c69776105f03d2504655c0ec7a2304567c7bc Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Tue, 15 May 2018 12:27:20 +0200
Subject: [PATCH 3/3] add Stalinlocker

---
 clusters/tool.json | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/clusters/tool.json b/clusters/tool.json
index 20e2897..bbed472 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -11,7 +11,7 @@
   ],
   "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
   "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f",
-  "version": 69,
+  "version": 70,
   "values": [
     {
       "meta": {
@@ -4224,6 +4224,19 @@
         ]
       },
       "uuid": "db36cf9a-5391-11e8-b53a-97adedf48055"
+    },
+    {
+      "value": "StalinLocker",
+      "description": "A new in-development screenlocker/wiper called StalinLocker, or StalinScreamer, was discovered by MalwareHunterTeam that gives you 10 minutes to enter a code or it will try to delete the contents of the drives on the computer. While running, it will display screen that shows Stalin while playing the USSR anthem and displaying a countdown until files are deleted.",
+      "meta": {
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/stalinlocker-deletes-your-files-unless-you-enter-the-right-code/"
+        ],
+        "synonyms": [
+          "StalinScreamer"
+        ]
+      },
+      "uuid": "50eb8c54-5828-11e8-8d6b-232bb9329fc0"
     }
   ]
 }