add Winnti related tools etc.

2019-10-31 10:36:15 +01:00 · 2019-10-31 10:36:15 +01:00 · 0a8f989e1c
parent 88025a541f
commit 0a8f989e1c
2 changed files with 18 additions and 4 deletions
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@ -671,8 +671,12 @@
          "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-july-wicked-spider/"
        ],
        "synonyms": [
+          "Winnti Umbrella"
          "Winnti Group",
          "Tailgater Team",
+          "Suckfly"
+          "APT41",
+          "APT 41"
          "Group 72",
          "Group72",
          "Tailgater",
@ -7756,5 +7760,5 @@
      "value": "Operation Soft Cell"
    }
  ],
-  "version": 136
+  "version": 137
 }
--- a/clusters/tool.json
+++ b/clusters/tool.json
@ -663,7 +663,9 @@
        "synonyms": [
          "Etso",
          "SUQ",
-          "Agent.ALQHI"
+          "Agent.ALQHI",
+          "RbDoor",
+          "RibDoor","HIGHNOON"
        ],
        "type": [
          "Backdoor"
@ -5352,7 +5354,8 @@
      "meta": {
        "refs": [
          "https://cdn.securelist.com/files/2017/08/ShadowPad_technical_description_PDF.pdf"
-        ]
+        ],
+        "synonyms":[ "POISONPLUG", "Barlaiy"]
      },
      "related": [
        {
@ -7859,7 +7862,14 @@
      "description": "Legitimate tool - tool used to scan IPv4/IPv6 networks and remotely execute PowerShell commands.",
      "uuid": "bbba3a35-5064-4e60-ad4b-0ba16cc81a23",
      "value": "Netscan"
+    },
+    {
+      "value":"ShadowHammer",
+      "description": "Malware embedded in Asus Live Update in 2018. ShadowHammer triggers its malicious behavior only if the computer it is running on has a network adapter with the MAC address whitelisted by the attacker.",
+      "meta": {
+        "refs": ["https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf"]
+      }
    }
  ],
-  "version": 126
+  "version": 127
 }