Merge pull request #664 from nyx0/main

Adding TA and Tool

clusters/threat-actor.json

@@ -5660,6 +5660,7 @@
         ],
         "country": "KP",
         "refs": [
+          "https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/",
           "https://www.fireeye.com/blog/threat-research/2018/02/apt37-overlooked-north-korean-actor.html",
           "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf",
           "http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html",
@@ -5678,13 +5679,14 @@
           "APT 37",
           "Group 123",
           "Group123",
-          "ScarCruft",
+          "InkySquid",
-          "Reaper",
-          "Reaper Group",
-          "Red Eyes",
-          "Ricochet Chollima",
           "Operation Daybreak",
           "Operation Erebus",
+          "Reaper Group",
+          "Reaper",
+          "Red Eyes",
+          "Ricochet Chollima",
+          "ScarCruft",
           "Venus 121"
         ]
       },
@@ -8862,5 +8864,5 @@
       "value": "BelialDemon"
     }
   ],
-  "version": 205
+  "version": 206
 }

clusters/tool.json

@@ -8426,7 +8426,20 @@
       },
       "uuid": "2214b113-6942-494f-94b7-576e74fccdb5",
       "value": "Matanbuchus"
+    },
+    {
+      "description": "It is likely that BLUELIGHT is used as a secondary payload following successful delivery of Cobalt Strike.",
+      "meta": {
+        "refs": [
+          "https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/"
+        ],
+        "type": [
+          "backdoor"
+        ]
+      },
+      "uuid": "b1c4f468-1c55-40aa-bce4-c3772ef83d0c",
+      "value": "BLUELIGHT"
     }
   ],
-  "version": 146
+  "version": 147
 }