From 4a7560d1917e73aca1d5de7afdf534de0c50544b Mon Sep 17 00:00:00 2001
From: Thomas Dupuy <thom4s.d@gmail.com>
Date: Mon, 15 Feb 2021 12:52:53 -0500
Subject: [PATCH 1/2] Add Exaramel and P.A.S. webshell tool.

---
 clusters/tool.json | 38 +++++++++++++++++++++++++++++++++++++-
 1 file changed, 37 insertions(+), 1 deletion(-)

diff --git a/clusters/tool.json b/clusters/tool.json
index 0606a6a..5ddaf2f 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -8235,7 +8235,43 @@
       "related": [],
       "uuid": "1974ea65-7312-4d91-a592-649983b46554",
       "value": "Caterpillar WebShell"
+    },
+    {
+      "description": "The P.A.S. webshell was developed by an ukrainian student, Jaroslav Volodimirovich Panchenko, who used the nick-name Profexer. It was developed in PHP and features a characteristic password-based encryption. This tool was available through a form on his website, where a user had to provide a password to receive a custom webshell. The form suggested a donation to the developer. It was commonly used, including during a WORDPRESS website attack.",
+      "meta": {
+        "refs": [
+          "https://us-cert.cisa.gov/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity",
+          "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf"
+        ],
+        "synonyms": [
+          "Fobushell"
+        ],
+        "type": [
+          "webshell"
+        ]
+      },
+      "related": [],
+      "uuid": "6baa1f46-daa9-4f40-952b-ec613c835abb",
+      "value": "P.A.S. webshell"
+    },
+    {
+      "description": "",
+      "meta": {
+        "refs": [
+          "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/",
+          "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf"
+        ],
+        "synonyms": [
+          ""
+        ],
+        "type": [
+          "backdoor"
+        ]
+      },
+      "related": [],
+      "uuid": "95174297-6dff-47d9-bcb9-263f9b2efcfb",
+      "value": "Exaramel"
     }
   ],
-  "version": 141
+  "version": 142
 }

From 178e16dc13f726afa2e97dd2527e87698f89795e Mon Sep 17 00:00:00 2001
From: Thomas Dupuy <thom4s.d@gmail.com>
Date: Tue, 16 Feb 2021 10:32:37 -0500
Subject: [PATCH 2/2] Remove empty values.

---
 clusters/tool.json | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/clusters/tool.json b/clusters/tool.json
index 5ddaf2f..9e4ac50 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -8255,15 +8255,12 @@
       "value": "P.A.S. webshell"
     },
     {
-      "description": "",
+      "description": "Exaramel is a backdoor first publicly reported by ESET in 2018. Two samples were identified, one targeting the WINDOWS operating system and the other targeting LINUX operating systems.",
       "meta": {
         "refs": [
           "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/",
           "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf"
         ],
-        "synonyms": [
-          ""
-        ],
         "type": [
           "backdoor"
         ]