From 3bdbd6646b68cd188f579e3a2bc414c78b65caeb Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Thu, 17 Jan 2019 09:44:09 +0100
Subject: [PATCH 1/2] add Cold River Threat actor

---
 clusters/threat-actor.json | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 79f0997b..0e624914 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -6179,7 +6179,21 @@
       },
       "uuid": "d8e1762a-0063-48c2-9ea1-8d176d14b70f",
       "value": "STARDUST CHOLLIMA"
+    },
+    {
+      "description": "In short, “Cold River” is a sophisticated threat (actor) that utilizes DNS subdomain hijacking, certificate spoofing, and covert tunneled command and control traffic in combination with complex and convincing lure documents and custom implants.",
+      "meta": {
+        "refs": [
+          "https://www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/"
+        ],
+        "synonyms": [
+          "Nahr Elbard",
+          "Nahr el bared"
+        ]
+      },
+      "uuid": "7d99d2f7-adf0-44e4-9044-d18ff6842a16",
+      "value": "Cold River"
     }
   ],
-  "version": 86
+  "version": 87
 }

From 45ed56cd614d6d97874b6d5bf85df65f91a9daf6 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Thu, 17 Jan 2019 10:49:23 +0100
Subject: [PATCH 2/2] add LoJax ref

---
 clusters/tool.json | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/clusters/tool.json b/clusters/tool.json
index f4ff3f5a..f27cca89 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -7233,7 +7233,8 @@
       "description": "rootkit for the Unified Extensible Firmware Interface (UEFI). Used by APT28. The researchers named the rootkit LoJax, after the malicious samples of the LoJack anti-theft software that were discovered earlier this year.",
       "meta": {
         "refs": [
-          "https://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/"
+          "https://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/",
+          "https://www.bleepingcomputer.com/news/security/lojax-command-and-control-domains-still-active/"
         ]
       },
       "uuid": "6d53a74e-c8a5-11e8-a123-332e4eaac9bb",
@@ -7510,5 +7511,5 @@
       "value": "OSX.BadWord"
     }
   ],
-  "version": 107
+  "version": 108
 }