From 4482e198a04b96e936ca9d7e2b97641b41652612 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Tue, 8 Aug 2017 08:50:36 +0200
Subject: [PATCH 1/5] add GlobeImposter synonym

---
 clusters/ransomware.json | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/clusters/ransomware.json b/clusters/ransomware.json
index 569b69d4..772c65bd 100644
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@@ -2300,7 +2300,8 @@
     {
       "meta": {
         "synonyms": [
-          "Globe Imposter"
+          "Globe Imposter",
+          "GlobeImposter"
         ],
         "refs": [
           "https://id-ransomware.blogspot.co.il/2016/12/fake-globe-ransomware.html",

From d6a4e3a5a09a2a073d32d4e00e8e3163b5803533 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Tue, 8 Aug 2017 12:37:14 +0200
Subject: [PATCH 2/5] add/update tool galaxy

---
 clusters/tool.json | 34 ++++++++++++++++++++++++++++++++--
 1 file changed, 32 insertions(+), 2 deletions(-)

diff --git a/clusters/tool.json b/clusters/tool.json
index df6f2d0e..0d2785d6 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -407,7 +407,8 @@
           "HackTool"
         ],
         "refs": [
-          "https://github.com/gentilkiwi/mimikatz"
+          "https://github.com/gentilkiwi/mimikatz",
+          "https://researchcenter.paloaltonetworks.com/2017/07/unit42-twoface-webshell-persistent-access-point-lateral-movement/"
         ],
         "synonyms": [
           "Mikatz"
@@ -2900,7 +2901,7 @@
       }
     },
     {
-      "description": "n mid-July 2017, we found a new modification of the well-known mobile banking malware family Svpeng – Trojan-Banker.AndroidOS.Svpeng.ae. In this modification, the cybercriminals have added new functionality: it now also works as a keylogger, stealing entered text through the use of accessibility services.",
+      "description": "In mid-July 2017, we found a new modification of the well-known mobile banking malware family Svpeng – Trojan-Banker.AndroidOS.Svpeng.ae. In this modification, the cybercriminals have added new functionality: it now also works as a keylogger, stealing entered text through the use of accessibility services.",
       "value": "Svpeng",
       "meta": {
         "refs": [
@@ -2910,6 +2911,35 @@
           "trojan-banker.androidos.svpeng.ae"
         ]
       }
+    },
+    {
+      "description": "While investigating a recent security incident, Unit 42 found a webshell that we believe was used by the threat actor to remotely access the network of a targeted Middle Eastern organization. The construction of the webshell was interesting by itself, as it was actually two separate webshells: an initial webshell that was responsible for saving and loading the second fully functional webshell. It is this second webshell that enabled the threat actor to run a variety of commands on the compromised server. Due to these two layers, we use the name TwoFace to track this webshell.\nDuring our analysis, we extracted the commands executed by the TwoFace webshell from the server logs on the compromised server. Our analysis shows that the commands issued by the threat actor date back to June 2016; this suggests that the actor had access to this shell for almost an entire year. The commands issued show the actor was interested in gathering credentials from the compromised server using the Mimikatz tool. We also saw the attacker using the TwoFace webshell to move laterally through the network by copying itself and other webshells to other servers.",
+      "value": "TwoFace",
+      "type": "webshell",
+      "meta": {
+        "refs": [
+          "https://researchcenter.paloaltonetworks.com/2017/07/unit42-twoface-webshell-persistent-access-point-lateral-movement/"
+        ]
+      },
+    },
+    {
+      "description": "Like TwoFace, the IntrudingDivisor webshell requires the threat actor to authenticate before issuing commands. To authenticate, the actor must provide two pieces of information, first an integer that is divisible by 5473 and a string whose MD5 hash is “9A26A0E7B88940DAA84FC4D5E6C61AD0”. Upon successful authentication, the webshell has a command handler that uses integers within the request to determine the command to execute - To complete",
+      "value": "IntrudingDivisor",
+      "type": "webshell",
+      "meta": {
+        "refs": [
+          "https://researchcenter.paloaltonetworks.com/2017/07/unit42-twoface-webshell-persistent-access-point-lateral-movement/"
+        ]
+      }
+    },
+    {
+      "description": "Attacks that use completely fileless malware are a rare occurrence, so we thought it important to discuss a new trojan known as JS_POWMET (Detected by Trend Micro as JS_POWMET.DE), which arrives via an autostart registry procedure. By utilizing a completely fileless infection chain, the malware will be more difficult to analyze using a sandbox, making it more difficult for anti-malware engineers to examine.",
+      "value": "JS_POWMET",
+      "meta": {
+        "refs": [
+          "http://blog.trendmicro.com/trendlabs-security-intelligence/look-js_powmet-completely-fileless-malware/ "
+        ]
+      }
     }
   ]
 }

From fa813f0f20fd15dd3d31099b97a6cef4f39ce30b Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Tue, 8 Aug 2017 12:40:35 +0200
Subject: [PATCH 3/5] jq~

---
 clusters/tool.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/clusters/tool.json b/clusters/tool.json
index 0d2785d6..9498d3b7 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -2920,7 +2920,7 @@
         "refs": [
           "https://researchcenter.paloaltonetworks.com/2017/07/unit42-twoface-webshell-persistent-access-point-lateral-movement/"
         ]
-      },
+      }
     },
     {
       "description": "Like TwoFace, the IntrudingDivisor webshell requires the threat actor to authenticate before issuing commands. To authenticate, the actor must provide two pieces of information, first an integer that is divisible by 5473 and a string whose MD5 hash is “9A26A0E7B88940DAA84FC4D5E6C61AD0”. Upon successful authentication, the webshell has a command handler that uses integers within the request to determine the command to execute - To complete",

From 6d7ec00907c26857facb20c864c38290eea7d8c5 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Tue, 8 Aug 2017 12:44:37 +0200
Subject: [PATCH 4/5] type is meta

---
 clusters/tool.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/clusters/tool.json b/clusters/tool.json
index 9498d3b7..93703fab 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -2915,8 +2915,8 @@
     {
       "description": "While investigating a recent security incident, Unit 42 found a webshell that we believe was used by the threat actor to remotely access the network of a targeted Middle Eastern organization. The construction of the webshell was interesting by itself, as it was actually two separate webshells: an initial webshell that was responsible for saving and loading the second fully functional webshell. It is this second webshell that enabled the threat actor to run a variety of commands on the compromised server. Due to these two layers, we use the name TwoFace to track this webshell.\nDuring our analysis, we extracted the commands executed by the TwoFace webshell from the server logs on the compromised server. Our analysis shows that the commands issued by the threat actor date back to June 2016; this suggests that the actor had access to this shell for almost an entire year. The commands issued show the actor was interested in gathering credentials from the compromised server using the Mimikatz tool. We also saw the attacker using the TwoFace webshell to move laterally through the network by copying itself and other webshells to other servers.",
       "value": "TwoFace",
-      "type": "webshell",
       "meta": {
+        "type": "webshell",
         "refs": [
           "https://researchcenter.paloaltonetworks.com/2017/07/unit42-twoface-webshell-persistent-access-point-lateral-movement/"
         ]
@@ -2925,8 +2925,8 @@
     {
       "description": "Like TwoFace, the IntrudingDivisor webshell requires the threat actor to authenticate before issuing commands. To authenticate, the actor must provide two pieces of information, first an integer that is divisible by 5473 and a string whose MD5 hash is “9A26A0E7B88940DAA84FC4D5E6C61AD0”. Upon successful authentication, the webshell has a command handler that uses integers within the request to determine the command to execute - To complete",
       "value": "IntrudingDivisor",
-      "type": "webshell",
       "meta": {
+        "type": "webshell",
         "refs": [
           "https://researchcenter.paloaltonetworks.com/2017/07/unit42-twoface-webshell-persistent-access-point-lateral-movement/"
         ]

From 693ea7e58a96707d367b43a1ec2492bff0397787 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Tue, 8 Aug 2017 15:00:06 +0200
Subject: [PATCH 5/5] type is array -shh I'm bad with the format, I know

---
 clusters/tool.json | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/clusters/tool.json b/clusters/tool.json
index 93703fab..95a2f2a6 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -2916,7 +2916,9 @@
       "description": "While investigating a recent security incident, Unit 42 found a webshell that we believe was used by the threat actor to remotely access the network of a targeted Middle Eastern organization. The construction of the webshell was interesting by itself, as it was actually two separate webshells: an initial webshell that was responsible for saving and loading the second fully functional webshell. It is this second webshell that enabled the threat actor to run a variety of commands on the compromised server. Due to these two layers, we use the name TwoFace to track this webshell.\nDuring our analysis, we extracted the commands executed by the TwoFace webshell from the server logs on the compromised server. Our analysis shows that the commands issued by the threat actor date back to June 2016; this suggests that the actor had access to this shell for almost an entire year. The commands issued show the actor was interested in gathering credentials from the compromised server using the Mimikatz tool. We also saw the attacker using the TwoFace webshell to move laterally through the network by copying itself and other webshells to other servers.",
       "value": "TwoFace",
       "meta": {
-        "type": "webshell",
+        "type": [
+          "webshell"
+        ],
         "refs": [
           "https://researchcenter.paloaltonetworks.com/2017/07/unit42-twoface-webshell-persistent-access-point-lateral-movement/"
         ]
@@ -2926,7 +2928,9 @@
       "description": "Like TwoFace, the IntrudingDivisor webshell requires the threat actor to authenticate before issuing commands. To authenticate, the actor must provide two pieces of information, first an integer that is divisible by 5473 and a string whose MD5 hash is “9A26A0E7B88940DAA84FC4D5E6C61AD0”. Upon successful authentication, the webshell has a command handler that uses integers within the request to determine the command to execute - To complete",
       "value": "IntrudingDivisor",
       "meta": {
-        "type": "webshell",
+        "type": [
+          "webshell"
+        ],
         "refs": [
           "https://researchcenter.paloaltonetworks.com/2017/07/unit42-twoface-webshell-persistent-access-point-lateral-movement/"
         ]