From f1ea577e9559ef4039741816573a32b3f0cbfd1f Mon Sep 17 00:00:00 2001
From: Thanat0s <Thanspam@trollprod.org>
Date: Sun, 26 Feb 2017 23:24:51 +0100
Subject: [PATCH] pimp and agreggate turla

---
 clusters/tool.json | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/clusters/tool.json b/clusters/tool.json
index 645896e..1a1513d 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -525,10 +525,22 @@
       }
     },
     {
-      "value": "Turla"
-    },
-    {
-      "value": "Uroburos"
+      "value": "Turla",
+      "description": "Family of related sophisticated backdoor software - Name comes from Microsoft detection signature – anagram of Ultra (Ultra3) was a name of the fake driver).",
+      "meta": {
+        "synonyms": [
+          "Snake",
+          "Uroburos",
+          "Urouros"
+        ],
+        "refs": [
+          "https://www.first.org/resources/papers/tbilisi2014/turla-operations_and_development.pdf"
+        ],
+        "type": [
+          "Backdoor",
+          "Rootkit"
+        ]
+      }
     },
     {
       "value": "Winexe"