add BabaYaga Malware

clusters/tool.json

@@ -4272,6 +4272,16 @@
           "https://blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html"
         ]
       }
+    },
+    {
+      "uuid": "65c0dff4-6b23-11e8-899f-8fcb21ad9649",
+      "value": "BabaYaga",
+      "description": "The group behind BabaYaga —believed to be Russian-speaking hackers— uses this malware to inject sites with special keyboards to drive SEO traffic to hidden pages on compromised sites. These pages are then used to redirect users to affiliate marketing links, where if the user purchases advertised goods, the hackers also make a profit.\nThe malware per-se is comprised of two modules —one that injects the spam content inside the compromised sites, and a backdoor module that gives attackers control over an infected site at any time.\nThe intricacies of both modules are detailed in much more depth in this 26-page report authored by Defiant (formerly known as WordFence), the security firm which dissected the malware's more recent versions.\n\"[BabaYaga] is relatively well-written, and it demonstrates that the author has some understanding of software development challenges, like code deployment, performance and management,\" Defiant researchers say. \"It can also infect Joomla and Drupal sites, or even generic PHP sites, but it is most fully developed around Wordpress.\"",
+      "meta": {
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/lol-babayaga-wordpress-malware-updates-your-site/"
+        ]
+      }
     }
   ],
   "authors": [