From 1a18ffb3eb9dc6acf5a8211559348f5836488a14 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Wed, 11 Apr 2018 16:30:58 +0200
Subject: [PATCH] add Rovnix

---
 clusters/tool.json | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/clusters/tool.json b/clusters/tool.json
index 9dfc8f7..59baa59 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -11,7 +11,7 @@
   ],
   "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
   "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f",
-  "version": 62,
+  "version": 63,
   "values": [
     {
       "meta": {
@@ -4126,6 +4126,19 @@
         ]
       },
       "uuid": "8c0a7e1e-3cc4-11e8-8f03-2f71e72f737b"
+    },
+    {
+      "value": "Rovnix",
+      "description": "We recently found that the malware family ROVNIX is capable of being distributed via macro downloader. This malware technique was previously seen in the DRIDEX malware, which was notable for using the same routines. DRIDEX is also known as the successor of the banking malware CRIDEX.",
+      "meta": {
+        "refs": [
+          "https://blog.trendmicro.com/trendlabs-security-intelligence/rovnix-infects-systems-with-password-protected-macros/"
+        ],
+        "synonyms": [
+          "ROVNIX"
+        ]
+      },
+      "uuid": "a4036a28-3d94-11e8-ad9f-97ada3c6d5fb"
     }
   ]
 }