From 705d0d2e7208dd8784ff7b2eb5afeb9f4427c577 Mon Sep 17 00:00:00 2001
From: Delta-Sierra <deborah.servili@gmail.com>
Date: Mon, 12 Sep 2022 10:51:43 +0200
Subject: [PATCH 1/6] add BumbleBee backdoor

---
 clusters/tool.json | 24 +++++++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/clusters/tool.json b/clusters/tool.json
index 64d30487..8737a0e4 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -8570,7 +8570,29 @@
       },
       "uuid": "0bdb6f1c-1229-4556-a535-7444ddfbd7a9",
       "value": "GootLoader"
+    },
+    {
+      "description": "BumbleBee is a modular backdoor that comprises two applications, a server and a client application (a master and slaver application, respectively in the malware’s jargon). Once the client application is deployed on the target computer (these are commonly local government devices), threat actors can control the machine using the server module. Let us take a deeper look into this backdoor.",
+      "meta": {
+        "refs": [
+          "https://www.trendmicro.com/en_us/research/22/i/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolv.html"
+        ],
+        "type": [
+          "backdoor"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "96b2b31e-b191-43c4-9929-48ba1cbee62c",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "related-to"
+        }
+      ],
+      "uuid": "6fc4beee-b922-4d25-833d-8fb574a3c56e",
+      "value": "BumbleBee"
     }
   ],
-  "version": 153
+  "version": 154
 }

From 6dba3abe13135136a25000f62d788a4e1607c961 Mon Sep 17 00:00:00 2001
From: Delta-Sierra <deborah.servili@gmail.com>
Date: Tue, 13 Sep 2022 10:40:00 +0200
Subject: [PATCH 2/6] add hezb

---
 clusters/cryptominers.json | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/clusters/cryptominers.json b/clusters/cryptominers.json
index 91a3bcf0..b8786400 100644
--- a/clusters/cryptominers.json
+++ b/clusters/cryptominers.json
@@ -62,7 +62,17 @@
       },
       "uuid": "a0c0ab05-c390-425c-9311-f64bf7ca9145",
       "value": "Krane"
+    },
+    {
+      "description": "“Hezb”, which is based on command line artifact data, was observed around Kinsing. This malware is relatively new and was recently reported in late May exploiting WSO2 RCE (CVE-2022-29464) in the wild. Several malware components were observed, the first of which was an XMRig miner installed as “Hezb”. Additional modules included a polkit exploit for privilege escalation as well as a zero-detection ELF payload named “kik”.",
+      "meta": {
+        "refs": [
+          "https://www.lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/"
+        ]
+      },
+      "uuid": "428bbf01-7756-48a2-848d-6bca3997f1df",
+      "value": "Hezb"
     }
   ],
-  "version": 2
+  "version": 3
 }

From e3d88f45c6b6895161cea3ae7519e97c185de3ad Mon Sep 17 00:00:00 2001
From: Delta-Sierra <deborah.servili@gmail.com>
Date: Tue, 13 Sep 2022 13:35:55 +0200
Subject: [PATCH 3/6] add Dark.IoT

---
 clusters/botnet.json | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/clusters/botnet.json b/clusters/botnet.json
index dd9f867a..df6dea58 100644
--- a/clusters/botnet.json
+++ b/clusters/botnet.json
@@ -1364,7 +1364,26 @@
       ],
       "uuid": "421a3805-7741-4315-82c2-6c9aa30d0953",
       "value": "Qbot"
+    },
+    {
+      "description": "This malware is characterized by alternative DNS connections and connects to several *.lib domains using custom DNS servers.",
+      "meta": {
+        "refs": [
+          "https://www.lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "fcdfd4af-da35-49a8-9610-19be8a487185",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "variant-of"
+        }
+      ],
+      "uuid": "505c6a54-a701-4a4b-85d4-0f2038b7b46a",
+      "value": "Dark.IoT"
     }
   ],
-  "version": 27
+  "version": 28
 }

From 021fcd2c918d12916bfde08558720d34d2a18b92 Mon Sep 17 00:00:00 2001
From: Delta-Sierra <deborah.servili@gmail.com>
Date: Thu, 15 Sep 2022 10:29:46 +0200
Subject: [PATCH 4/6] add Lorenz ransomware

---
 clusters/ransomware.json | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/clusters/ransomware.json b/clusters/ransomware.json
index b8f79d58..eca2ed9d 100644
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@@ -24589,7 +24589,20 @@
       },
       "uuid": "995c3772-dbda-4a2a-9e28-c47740d599a3",
       "value": "Maui ransomware"
+    },
+    {
+      "description": "Lorenz is a ransomware group that has been active since at least February 2021 and like many ransomware groups, performs double-extortion by exfiltrating data before encrypting systems.",
+      "meta": {
+        "ransomnotes-refs": [
+          "https://marvel-b1-cdn.bc0a.com/f00000000241276/arcticwolf.com/wp-content/uploads/2022/09/Screen-Shot-2022-09-12-at-11.18.04-AM-1024x246.png"
+        ],
+        "refs": [
+          "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/"
+        ]
+      },
+      "uuid": "d513199e-7f21-43fd-9610-ed708c3f6409",
+      "value": "Lorenz Ransomware"
     }
   ],
-  "version": 107
+  "version": 108
 }

From 0903300b75ab4f6c6245003e22bab1393eb15faf Mon Sep 17 00:00:00 2001
From: Delta-Sierra <deborah.servili@gmail.com>
Date: Thu, 15 Sep 2022 13:24:49 +0200
Subject: [PATCH 5/6] Add Chisel

---
 clusters/tool.json | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/clusters/tool.json b/clusters/tool.json
index 8737a0e4..67d57393 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -8592,7 +8592,17 @@
       ],
       "uuid": "6fc4beee-b922-4d25-833d-8fb574a3c56e",
       "value": "BumbleBee"
+    },
+    {
+      "description": "Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH. Single executable including both client and server. Written in Go (golang). Chisel is mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into your network. Benign in itself, but used by threat actors.",
+      "meta": {
+        "refs": [
+          "https://github.com/jpillora/chisel"
+        ]
+      },
+      "uuid": "f493dede-9134-44db-a00d-aa4866bfd555",
+      "value": "Chisel"
     }
   ],
-  "version": 154
+  "version": 155
 }

From 8202a7f48f6e6cca3d43387c123500a5bb4440aa Mon Sep 17 00:00:00 2001
From: Delta-Sierra <deborah.servili@gmail.com>
Date: Thu, 15 Sep 2022 15:39:47 +0200
Subject: [PATCH 6/6] Add PlugX ref

---
 clusters/rat.json | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/clusters/rat.json b/clusters/rat.json
index dd42ee54..c87ed04e 100644
--- a/clusters/rat.json
+++ b/clusters/rat.json
@@ -1941,7 +1941,8 @@
         "date": "2005 or 2008",
         "refs": [
           "https://www.lastline.com/labsblog/an-analysis-of-plugx-malware/",
-          "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PLUGX"
+          "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PLUGX",
+          "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf"
         ],
         "synonyms": [
           "Korplug",
@@ -3536,5 +3537,5 @@
       "value": "Ragnatela"
     }
   ],
-  "version": 39
+  "version": 40
 }