From cddfd5fcd18e410eee7fc6bdea405af656e68ab6 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Fri, 11 Jan 2019 09:53:08 +0100
Subject: [PATCH 1/2] TA505 threat actorand affiliates malwares

---
 clusters/backdoor.json     | 12 +++++++++++-
 clusters/rat.json          | 12 +++++++++++-
 clusters/threat-actor.json | 13 ++++++++++++-
 3 files changed, 34 insertions(+), 3 deletions(-)

diff --git a/clusters/backdoor.json b/clusters/backdoor.json
index 8518a703..b1deff9d 100644
--- a/clusters/backdoor.json
+++ b/clusters/backdoor.json
@@ -41,7 +41,17 @@
       },
       "uuid": "2bb165dc-9f93-11e8-ae64-d3dbab0dd786",
       "value": "Rosenbridge"
+    },
+    {
+      "description": "The purpose of the macro was to download and execute a variant of ServHelper that set up reverse SSH tunnels that enabled access to the infected host through the Remote Desktop Protocol (RDP) port 3389.\n\n\"Once ServHelper establishes remote desktop access, the malware contains functionality for the threat actor to “hijack” legitimate user accounts or their web browser profiles and use them as they see fit,\" researchers from Proofpoint explain in an analysis released today.\n\nThe other ServHelper variant does not include the tunneling and hijacking capabilities and functions only as a downloader for the FlawedGrace RAT.",
+      "meta": {
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/new-servhelper-backdoor-and-flawedgrace-rat-pushed-by-necurs-botnet/"
+        ]
+      },
+      "uuid": "8b50360c-4d16-4f52-be75-e74c27f533df",
+      "value": "ServHelper"
     }
   ],
-  "version": 3
+  "version": 4
 }
diff --git a/clusters/rat.json b/clusters/rat.json
index d641060c..92bc2dc3 100644
--- a/clusters/rat.json
+++ b/clusters/rat.json
@@ -3298,7 +3298,17 @@
       },
       "uuid": "ef9f1592-0186-4f5d-a8ea-6c10450d2219",
       "value": "BONDUPDATER"
+    },
+    {
+      "description": "Proofpoint also point out that FlawedGrace is a full-featured RAT written in C++ and that it is a very large program that \"extensive use of object-oriented and multithreaded programming techniques. \"As a consequence, getting familiar with its internal structure takes a lot of time and is far from a simple task.",
+      "meta": {
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/new-servhelper-backdoor-and-flawedgrace-rat-pushed-by-necurs-botnet/"
+        ]
+      },
+      "uuid": "428c8288-6f65-453f-bfa2-4b519d08f8e9",
+      "value": "FlawedGrace"
     }
   ],
-  "version": 23
+  "version": 24
 }
diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 35084110..7e5b2807 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -6126,7 +6126,18 @@
       },
       "uuid": "b06c3af1-0243-4428-88da-b3451c345e1e",
       "value": "Operation Sharpshooter"
+    },
+    {
+      "description": "TA505, the name given by Proofpoint, has been in the cybercrime business for at least four years. This is the group behind the infamous Dridex banking trojan and Locky ransomware, delivered through malicious email campaigns via Necurs botnet. Other malware associated with TA505 include Philadelphia and GlobeImposter ransomware families.",
+      "meta": {
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/ta505-group-adopts-new-servhelper-backdoor-and-flawedgrace-rat/",
+          "https://www.proofpoint.com/sites/default/files/ta505_timeline_final4_0.png"
+        ]
+      },
+      "uuid": "03c80674-35f8-4fe0-be2b-226ed0fcd69f",
+      "value": "TA505"
     }
   ],
-  "version": 84
+  "version": 85
 }

From 90d2bf7bc128e5fd3fb97258186c14a9e8cee0fe Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Fri, 11 Jan 2019 10:17:07 +0100
Subject: [PATCH 2/2] add drakhydrus ref

---
 clusters/threat-actor.json | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 7e5b2807..9e443cfd 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -5547,7 +5547,8 @@
       "description": "In July 2018, Unit 42 analyzed a targeted attack using a novel file type against at least one government agency in the Middle East. It was carried out by a previously unpublished threat group we track as DarkHydrus. Based on our telemetry, we were able to uncover additional artifacts leading us to believe this adversary group has been in operation with their current playbook since early 2016. This attack diverged from previous attacks we observed from this group as it involved spear-phishing emails sent to targeted organizations with password protected RAR archive attachments that contained malicious Excel Web Query files (.iqy).",
       "meta": {
         "refs": [
-          "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/"
+          "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/",
+          "https://mobile.twitter.com/360TIC/status/1083289987339042817"
         ]
       },
       "uuid": "ce2c2dfd-2445-4fbc-a747-9e7092e383f9",