From a27534cfa15fc11f65bbe8cd991221f2598d9aa6 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Fri, 28 Sep 2018 15:40:00 +0200
Subject: [PATCH 1/4] add refs

---
 clusters/botnet.json | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/clusters/botnet.json b/clusters/botnet.json
index 12f09be..334058a 100644
--- a/clusters/botnet.json
+++ b/clusters/botnet.json
@@ -677,7 +677,8 @@
       "meta": {
         "refs": [
           "https://www.bleepingcomputer.com/news/security/hide-and-seek-becomes-first-iot-botnet-capable-of-surviving-device-reboots/",
-          "https://www.bleepingcomputer.com/news/security/new-hns-iot-botnet-has-already-amassed-14k-bots/"
+          "https://www.bleepingcomputer.com/news/security/new-hns-iot-botnet-has-already-amassed-14k-bots/",
+          "https://www.bleepingcomputer.com/news/security/hide-and-seek-botnet-adds-infection-vector-for-android-devices/"
         ],
         "synonyms": [
           "HNS",
@@ -888,5 +889,5 @@
       "uuid": "025ab0ce-bffc-11e8-be19-d70ec22c5d56"
     }
   ],
-  "version": 12
+  "version": 13
 }

From f828c8f79e2d2397e0e5a04eb46cc79e755b168b Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Fri, 28 Sep 2018 16:18:54 +0200
Subject: [PATCH 2/4] add synonym

---
 clusters/botnet.json     | 3 +++
 clusters/ransomware.json | 3 ++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/clusters/botnet.json b/clusters/botnet.json
index 334058a..714be72 100644
--- a/clusters/botnet.json
+++ b/clusters/botnet.json
@@ -848,6 +848,9 @@
         "refs": [
           "https://researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/",
           "https://www.symantec.com/security-center/writeup/2014-100222-5658-99"
+        ],
+        "synonyms": [
+          "Bashlite"
         ]
       },
       "uuid": "40795af6-b721-11e8-9fcb-570c0b384135"
diff --git a/clusters/ransomware.json b/clusters/ransomware.json
index c3ba744..7a2a6d7 100644
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@@ -9608,7 +9608,8 @@
           "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts/",
           "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-version-2-released-with-new-crab-extension-and-other-changes/",
           "https://www.bleepingcomputer.com/news/security/gandcrab-version-3-released-with-autorun-feature-and-desktop-background/",
-          "https://www.bleepingcomputer.com/news/security/new-fallout-exploit-kit-drops-gandcrab-ransomware-or-redirects-to-pups/"
+          "https://www.bleepingcomputer.com/news/security/new-fallout-exploit-kit-drops-gandcrab-ransomware-or-redirects-to-pups/",
+          "https://www.bleepingcomputer.com/news/security/gandcrab-v5-ransomware-utilizing-the-alpc-task-scheduler-exploit/"
         ]
       },
       "related": [

From 35582f7ed5f673f2af532bfeafdfbe4fdefae367 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Mon, 1 Oct 2018 11:52:40 +0200
Subject: [PATCH 3/4] new threat actors & tools

---
 clusters/threat-actor.json | 22 +++++++++++++++++++++-
 clusters/tool.json         | 22 +++++++++++++++++++++-
 2 files changed, 42 insertions(+), 2 deletions(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 84a92f6..ebf32c3 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -5880,7 +5880,27 @@
         ]
       },
       "uuid": "6c79bd1a-bfde-11e8-8c33-db4d9968671a"
+    },
+    {
+      "value": "MageCart",
+      "description": "Digital threat management company RiskIQ tracks the activity of MageCart group and reported their use of web-based card skimmers since 2016.",
+      "meta": {
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/british-airways-fell-victim-to-card-scraping-attack/"
+        ]
+      },
+      "uuid": "0768fd50-c547-11e8-9aa5-776183769eab"
+    },
+    {
+      "value": "Domestic Kitten",
+      "description": "An extensive surveillance operation targets specific groups of individuals with malicious mobile apps that collect sensitive information on the device along with surrounding voice recordings. Researchers with CheckPoint discovered the attack and named it Domestic Kitten. The targets are Kurdish and Turkish natives, and ISIS supporters, all Iranian citizens.",
+      "meta": {
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/domestic-kitten-apt-operates-in-silence-since-2016/"
+        ]
+      },
+      "uuid": "dda1b28e-c558-11e8-8666-27cf61d1d7ee"
     }
   ],
-  "version": 66
+  "version": 67
 }
diff --git a/clusters/tool.json b/clusters/tool.json
index 7493a83..f0991b9 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -5819,7 +5819,27 @@
         ]
       },
       "uuid": "https://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/"
+    },
+    {
+      "value": "Chainshot",
+      "description": "The new piece of malware, which received the name Chainshot, is used in the early stages of an attack to activate a downloader for the final payload in a malicious chain reaction.",
+      "meta": {
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/new-chainshot-malware-found-by-cracking-512-bit-rsa-key/"
+        ]
+      },
+      "uuid": "a032460e-c54c-11e8-9965-43b7b6469a65"
+    },
+    {
+      "value": "CroniX",
+      "description": "The researchers named this campaign CroniX, a moniker that derives from the malware's use of Cron to achieve persistence and Xhide to launch executables with fake process names. The cryptocurrency minted on victim's computers is Monero (XMR), the coin of choice in cryptojacking activities. To make sure that rival activity does not revive, CroniX deletes the binaries of other cryptominers present on the system. Another action CroniX takes to establish supremacy on the machine is to check the names of the processes and kill those that swallow 60% of the CPU or more.",
+      "meta": {
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/cronix-cryptominer-kills-rivals-to-reign-supreme/"
+        ]
+      },
+      "uuid": "55d29d1c-c550-11e8-9904-47c1d86af7c5"
     }
   ],
-  "version": 88
+  "version": 89
 }

From 403f1624512d16b2bad2610714da206ba9d3bfec Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Mon, 1 Oct 2018 11:54:07 +0200
Subject: [PATCH 4/4] add ref for magecart

---
 clusters/threat-actor.json | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index ebf32c3..8934153 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -5886,7 +5886,8 @@
       "description": "Digital threat management company RiskIQ tracks the activity of MageCart group and reported their use of web-based card skimmers since 2016.",
       "meta": {
         "refs": [
-          "https://www.bleepingcomputer.com/news/security/british-airways-fell-victim-to-card-scraping-attack/"
+          "https://www.bleepingcomputer.com/news/security/british-airways-fell-victim-to-card-scraping-attack/",
+          "https://www.bleepingcomputer.com/news/security/feedify-hacked-with-magecart-information-stealing-script/"
         ]
       },
       "uuid": "0768fd50-c547-11e8-9aa5-776183769eab"