Merge pull request #233 from Delta-Sierra/master

Add CFR.org metadata into the galaxy - Test

clusters/botnet.json

@@ -2,7 +2,7 @@
   "description": "botnet galaxy",
   "uuid": "a91732f4-164a-11e8-924a-ffd4097eb03f",
   "source": "MISP Project",
-  "version": 5,
+  "version": 6,
   "values": [
     {
       "meta": {
@@ -617,6 +617,18 @@
       "description": "The bot gathers information from the infected system through WMI queries (SerialNumber, SystemDrive, operating system, processor architecture), which it then sends back to a remote attacker. It installs a backdoor giving an attacker the possibility to run command such as: download a file, update itself, visit a website and perform HTTP, SYN, UDP flooding",
       "value": "Pontoeb",
       "uuid": "bc60de19-27a5-4df8-a835-70781b923125"
+    },
+    {
+      "meta": {
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/"
+        ],
+        "synonyms": [
+          "Trik Trojan"
+        ]
+      },
+      "value": "Trik Spam Botnet",
+      "uuid": "c68d5e64-7485-11e8-8625-2b14141f0501"
     }
   ],
   "authors": [

clusters/ransomware.json

@@ -7966,7 +7966,8 @@
           "samsam.exe",
           "MIKOPONI.exe",
           "RikiRafael.exe",
-          "showmehowto.exe"
+          "showmehowto.exe",
+          "SamSam Ransomware"
         ],
         "extensions": [
           ".encryptedAES",
@@ -8014,7 +8015,8 @@
         "refs": [
           "https://download.bleepingcomputer.com/demonslay335/SamSamStringDecrypter.zip",
           "http://blog.talosintel.com/2016/03/samsam-ransomware.html",
-          "http://www.intelsecurity.com/advanced-threat-research/content/Analysis_SamSa_Ransomware.pdf"
+          "http://www.intelsecurity.com/advanced-threat-research/content/Analysis_SamSa_Ransomware.pdf",
+          "https://www.bleepingcomputer.com/news/security/new-samsam-variant-requires-special-password-before-infection/"
         ]
       },
       "uuid": "731e4a5e-35f2-47b1-80ba-150b95fdc14d"

clusters/threat-actor.json

@@ -452,7 +452,28 @@
           "http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/",
           "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/",
           "https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/",
-          "https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-inside-a-highly-specialized-espionage-infrastructure/"
+          "https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-inside-a-highly-specialized-espionage-infrastructure/",
+          "https://www.cfr.org/interactive/cyber-operations/iron-tiger"
+        ],
+        "cfr-suspected-victims": [
+          "United States",
+          "Japan",
+          "Taiwan",
+          "India",
+          "Canada",
+          "China",
+          "Thailand",
+          "Israel",
+          "Australia",
+          "Republic of Korea",
+          "Russia",
+          "Iran"
+        ],
+        "cfr-suspected-state-sponsor": "Unknown",
+        "cfr-type-of-incident": "Espionage",
+        "cfr-target-category": [
+          "Government",
+          "Private sector"
         ]
       },
       "description": "A China-based actor that targets foreign embassies to collect data on government, defence, and technology sectors.",
@@ -2725,5 +2746,5 @@
   ],
   "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.",
   "uuid": "7cdff317-a673-4474-84ec-4f1754947823",
-  "version": 43
+  "version": 44
 }