From e0bb3d76a6b0625e80e66ec48f8997947ef2db2f Mon Sep 17 00:00:00 2001
From: Daniel Plohmann <daniel.plohmann@mailbox.org>
Date: Thu, 21 Mar 2019 18:06:03 +0100
Subject: [PATCH] added APT-C-27 / GoldMouse

---
 clusters/threat-actor.json | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index b3bcf16..ef3a855 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -6632,7 +6632,20 @@
       },
       "uuid": "35c40ce2-57c0-479e-8a56-efbb8695e395",
       "value": "Operation Comando"
+    },
+    {
+      "description": "On March 17, 2019, 360 Threat Intelligence Center captured a target attack sample against the Middle East by exploiting WinRAR vulnerability (CVE-2018-20250[6]), and it seems that the attack is carried out by the Goldmouse APT group (APT-C-27). There is a decoy Word document inside the archive regarding terrorist attacks to lure the victim into decompressing. When the archive gets decompressed on the vulnerable computer, the embedded njRAT backdoor (Telegram Desktop.exe) will be extracted to the startup folder and then triggered into execution if the victim restarts the computer or performs re-login. After that, the attacker is capable to control the compromised device.",
+      "meta": {
+        "refs": [
+          "https://ti.360.net/blog/articles/apt-c-27-(goldmouse):-suspected-target-attack-against-the-middle-east-with-winrar-exploit-en/"
+        ],
+        "synonyms": [
+          "GoldMouse"
+        ]
+      },
+      "uuid": "5b776efb-c334-4cd2-92c7-7123f06726ae",
+      "value": "APT-C-27"
     }
   ],
-  "version": 103
+  "version": 104
 }