Merge pull request #264 from Delta-Sierra/master

more clusters~
2018-09-20 08:36:10 +02:00 · 2018-09-20 08:36:10 +02:00 · 87a0146857
parent 79146b9d10 0a724bee3d
commit 87a0146857
3 changed files with 57 additions and 5 deletions
--- a/clusters/rat.json
+++ b/clusters/rat.json
@ -20,10 +20,20 @@
      "value": "TeamViewer"
    },
    {
-      "description": "JadeRAT is just one example of numerous mobile surveillanceware families we've seen in recent months, indicating that actors are continuing to incorporate mobile tools in their attack chains.",
+      "description": "JadeRAT is just one example of numerous mobile surveillanceware families we've seen in recent months, indicating that actors are continuing to incorporate mobile tools in their attack chains. Threat actor, using a tool called JadeRAT, targets the mobile phones of ethnic minorities in China, notably Uighurs, for the purpose of espionage.   ",
      "meta": {
        "refs": [
-          "https://blog.lookout.com/mobile-threat-jaderat"
+          "https://blog.lookout.com/mobile-threat-jaderat",
+          "https://www.cfr.org/interactive/cyber-operations/jaderat"
+        ],
+        "cfr-suspected-victims": [
+          "Ethnic minorities in China"
+        ],
+        "cfr-suspected-state-sponsor": "China",
+        "cfr-type-of-incident": "Espionage",
+        "cfr-target-category": [
+          "Government",
+          "Civil society"
        ]
      },
      "uuid": "1cc8963b-5ad4-4e19-8e9a-57b0ff1ef926",
@ -2914,5 +2924,5 @@
      "value": "Hallaj PRO RAT"
    }
  ],
-  "version": 14
+  "version": 15
 }
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@ -2199,7 +2199,8 @@
          "https://securelist.com/blog/research/67962/the-penquin-turla-2/",
          "https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf",
          "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/",
-          "https://www.cfr.org/interactive/cyber-operations/turla"
+          "https://www.cfr.org/interactive/cyber-operations/turla",
+          "https://www.bleepingcomputer.com/news/security/turla-outlook-backdoor-uses-clever-tactics-for-stealth-and-persistence/"
        ],
        "synonyms": [
          "Turla",
@ -5734,5 +5735,5 @@
      "uuid": "6a0ea861-229a-45a6-98f5-228f69b43905"
    }
  ],
-  "version": 60
+  "version": 61
 }
--- a/clusters/tool.json
+++ b/clusters/tool.json
@ -5745,6 +5745,47 @@
      },
      "uuid": "641464a6-b690-11e8-976e-bffc9a17c6a4"
    },
+    {
+      "value": "MagentoCore Malware",
+      "description": "A Dutch security researcher has lifted the veil on a massive website hacking campaign that has infected 7,339 Magento stores with a script that collects payment card data from people shopping on the sites.\nThe script is what industry experts call a \"payment card scraper\" or \"skimmer.\" Hackers breach sites and modify their source code to load the script along with its legitimate files.\nThe script usually loads on store checkout pages and secretly records payment card details entered in payment forms, data that it later sends to a server under the hacker's control.",
+      "meta": {
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/magentocore-malware-found-on-7-339-magento-stores/"
+        ]
+      },
+      "uuid": "df05f528-bb57-11e8-9fd4-8320e14151f2"
+    },
+    {
+      "value": "NotPetya",
+      "description": "Threat actors deploy a tool, called NotPetya, with the purpose of encrypting data on victims' machines and rendering it unusable. The malware was spread through tax software that companies and individuals require for filing taxes in Ukraine. Australia, Estonia, Denmark, Lithuania, Ukraine, the United Kingdom, and the United States issued statements attributing NotPetya to Russian state-sponsored actors. In June 2018, the United States sanctioned Russian organizations believed to have assisted the Russian state-sponsored actors with the operation.",
+      "meta": {
+        "refs": [
+          "https://www.cfr.org/interactive/cyber-operations/notpetya"
+        ],
+        "synonyms": [
+          "Not Petya"
+        ],
+        "cfr-suspected-victims": [
+          "Rosneft",
+          "Cie de Saint-Gobain",
+          "Mondelez",
+          "The government of Ukraine",
+          "WPP Plc.",
+          "SNCF",
+          "Port of Rosario",
+          "Maersk",
+          "Merck",
+          "Kyivenergo"
+        ],
+        "cfr-suspected-state-sponsor": "Russian Federation",
+        "cfr-type-of-incident": "Data destruction",
+        "cfr-target-category": [
+          "Government",
+          "Private sector"
+        ]
+      },
+      "uuid": "00c31914-bc0e-11e8-8241-3ff3b5e4671d"
+    },
    {
      "value": "Xbash",
      "description": "Xbash is a malware family that is targeting Linux and Microsoft Windows servers. We can tie this malware, which we have named Xbash, to the Iron Group, a threat actor group known for previous ransomware attacks.",