add Chalubo botnet (+ jqallthethings)

clusters/botnet.json

@@ -1136,7 +1136,17 @@
       ],
       "uuid": "e3e91fe2-c7ce-11e8-8e85-6bc15cd2a63c",
       "value": "Persirai"
+    },
+    {
+      "description": "Since early September, SophosLabs has been monitoring an increasingly prolific attack targeting Internet-facing SSH servers on Linux-based systems that has been dropping a newly-discovered family of denial-of-service bots we’re calling Chalubo. The attackers encrypt both the main bot component and its corresponding Lua script using the ChaCha stream cipher. This adoption of anti-analysis techniques demonstrates an evolution in Linux malware, as the authors have adopted principles more common to Windows malware in an effort to thwart detection. Like some of its predecessors, Chalubo incorporates code from the Xor.DDoS and Mirai malware families.",
+      "meta": {
+        "refs": [
+          "https://news.sophos.com/en-us/2018/10/22/chalubo-botnet-wants-to-ddos-from-your-server-or-iot-device/"
+        ]
+      },
+      "uuid": "f387e30a-dc48-11e8-b9f4-370bc63008bf",
+      "value": "Chalubo"
     }
   ],
-  "version": 17
+  "version": 18
 }

clusters/threat-actor.json

@@ -5985,7 +5985,6 @@
       "value": "The Shadow Brokers"
     },
     {
-      "value" : "EvilTraffic",
       "description": "Malware experts at CSE Cybsec uncovered a massive malvertising campaign dubbed EvilTraffic leveraging tens of thousands compromised websites. Crooks exploited some CMS vulnerabilities to upload and execute arbitrary PHP pages used to generate revenues via advertising.",
       "meta": {
         "refs": [
@@ -5996,7 +5995,8 @@
           "Operation EvilTraffic"
         ]
       },
-      "uuid": "c2d5a052-dc30-11e8-9643-d76f3b9c94fa"
+      "uuid": "c2d5a052-dc30-11e8-9643-d76f3b9c94fa",
+      "value": "EvilTraffic"
     }
   ],
   "version": 76