From d61e7d2fac447fcbc7f18640ea78c27874941d93 Mon Sep 17 00:00:00 2001
From: Daniel Plohmann <daniel.plohmann@mailbox.org>
Date: Fri, 29 Jan 2021 10:39:18 +0100
Subject: [PATCH] adding ClearSky alias for Volatile Cedar

adding ClearSky report as source and alias to the VolatileCedar entry. As proof from the report: "We attributed the operation to Lebanese Cedar (also known as Volatile Cedar), mainly based on the code overlaps between the 2015 variants of Explosive RAT and Caterpillar WebShell, to the 2020 variants of these malicious  files."
---
 clusters/threat-actor.json | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 24852b6..2fd7c74 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -3918,12 +3918,14 @@
         "refs": [
           "https://blog.checkpoint.com/2015/03/31/volatilecedar/",
           "https://blog.checkpoint.com/2015/06/09/new-data-volatile-cedar/",
-          "https://securelist.com/sinkholing-volatile-cedar-dga-infrastructure/69421/"
+          "https://securelist.com/sinkholing-volatile-cedar-dga-infrastructure/69421/",
+          "https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf"
         ],
         "synonyms": [
           "Reuse team",
           "Malware reusers",
-          "Dancing Salome"
+          "Dancing Salome",
+          "Lebanese Cedar"
         ]
       },
       "uuid": "cf421ce6-ddfe-419a-bc65-6a9fc953232a",