From bfcc867ee6f3ba1a6a3e2cf68bcf1b52da500411 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Tue, 14 Jan 2020 15:54:06 +0100
Subject: [PATCH 1/2] add two wipers to tools

---
 clusters/tool.json | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/clusters/tool.json b/clusters/tool.json
index c4144c4..f922271 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -7915,7 +7915,27 @@
       },
       "uuid": "a0736351-1721-42ed-a057-19b4b93b585e",
       "value": "NBTScan"
+    },
+    {
+      "description": "ZeroCleare was used to execute a destructive attack that affected organizations in the energy and industrial sectorsin the Middle East. Based on the analysis of the malware and the attackers’ behavior, we suspect Iran-based nation state adversaries were involved to develop and deploy this new wiper. ",
+      "meta": {
+        "refs": [
+          "https://www.ibm.com/downloads/cas/OAJ4VZNJ"
+        ]
+      },
+      "uuid": "40fdcaac-a733-4088-9058-7b15a415b943",
+      "value": "ZeroCleare"
+    },
+    {
+      "description": "At the heart of the recent Bapco attack is a new strain of malware named Dustman. According to an analysis by Saudi Arabia's cyber-security agency, Dustman is a so-called data wiper -- malware designed to delete data on infected computers, once launched into execution.\nDustman represents the third different data-wiping malware linked to the Tehran regime. Iranian state-backed hackers have a long history of developing data-wiping malware.",
+      "meta": {
+        "refs": [
+          "https://mobile.twitter.com/IntezerLabs/status/1215252764080644098"
+        ]
+      },
+      "uuid": "ff692a4c-23ff-4e86-a03b-2de8d36bc98f",
+      "value": "Dustman"
     }
   ],
-  "version": 129
+  "version": 130
 }

From 32961527aa1d66f13946eb6a888e88208a6bc96f Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Wed, 15 Jan 2020 13:41:53 +0100
Subject: [PATCH 2/2] add Autochk Rootkit as tool

---
 clusters/tool.json | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/clusters/tool.json b/clusters/tool.json
index f922271..93501b3 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -7935,7 +7935,17 @@
       },
       "uuid": "ff692a4c-23ff-4e86-a03b-2de8d36bc98f",
       "value": "Dustman"
+    },
+    {
+      "description": "This rootkit is a very simple. The name of the driver is “autochk.sys” - that’s why we’ll call it the autochk rootkit. The rootkit implements 2 functionalities: File Redirection and Network Connection Hiding.",
+      "meta": {
+        "refs": [
+          "https://repnz.github.io/posts/autochk-rootkit-analysis/"
+        ]
+      },
+      "uuid": "4a60dc72-1ca0-4503-a635-96e119c5278d",
+      "value": "Autochk Rootkit"
     }
   ],
-  "version": 130
+  "version": 131
 }