Merge pull request #326 from Delta-Sierra/master

add Cold River Threat actor

clusters/threat-actor.json

@@ -6179,7 +6179,21 @@
       },
       "uuid": "d8e1762a-0063-48c2-9ea1-8d176d14b70f",
       "value": "STARDUST CHOLLIMA"
+    },
+    {
+      "description": "In short, “Cold River” is a sophisticated threat (actor) that utilizes DNS subdomain hijacking, certificate spoofing, and covert tunneled command and control traffic in combination with complex and convincing lure documents and custom implants.",
+      "meta": {
+        "refs": [
+          "https://www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/"
+        ],
+        "synonyms": [
+          "Nahr Elbard",
+          "Nahr el bared"
+        ]
+      },
+      "uuid": "7d99d2f7-adf0-44e4-9044-d18ff6842a16",
+      "value": "Cold River"
     }
   ],
-  "version": 86
+  "version": 87
 }

clusters/tool.json

@@ -7233,7 +7233,8 @@
       "description": "rootkit for the Unified Extensible Firmware Interface (UEFI). Used by APT28. The researchers named the rootkit LoJax, after the malicious samples of the LoJack anti-theft software that were discovered earlier this year.",
       "meta": {
         "refs": [
-          "https://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/"
+          "https://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/",
+          "https://www.bleepingcomputer.com/news/security/lojax-command-and-control-domains-still-active/"
         ]
       },
       "uuid": "6d53a74e-c8a5-11e8-a123-332e4eaac9bb",
@@ -7510,5 +7511,5 @@
       "value": "OSX.BadWord"
     }
   ],
-  "version": 107
+  "version": 108
 }