From fd960bfc1b04b0c7092b453388c111aea52b7593 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Tue, 18 Sep 2018 23:10:33 +0200
Subject: [PATCH 1/3] Add magentocore malware

---
 clusters/tool.json | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/clusters/tool.json b/clusters/tool.json
index 950ef714..c6a7dc8c 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -5744,7 +5744,17 @@
         ]
       },
       "uuid": "641464a6-b690-11e8-976e-bffc9a17c6a4"
+    },
+    {
+      "value": "MagentoCore Malware",
+      "description":"A Dutch security researcher has lifted the veil on a massive website hacking campaign that has infected 7,339 Magento stores with a script that collects payment card data from people shopping on the sites.\nThe script is what industry experts call a \"payment card scraper\" or \"skimmer.\" Hackers breach sites and modify their source code to load the script along with its legitimate files.\nThe script usually loads on store checkout pages and secretly records payment card details entered in payment forms, data that it later sends to a server under the hacker's control.",
+      "meta": {
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/magentocore-malware-found-on-7-339-magento-stores/"
+        ]
+      },
+      "uuid": "df05f528-bb57-11e8-9fd4-8320e14151f2"
     }
   ],
-  "version": 87
+  "version": 88
 }

From 058f778e61d9a0b2c36ffd5f135e5d78c94e15bd Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Wed, 19 Sep 2018 09:04:04 +0200
Subject: [PATCH 2/3] add references

---
 clusters/threat-actor.json | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index a0031f0a..879e7bec 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -2198,7 +2198,8 @@
           "https://securelist.com/blog/research/67962/the-penquin-turla-2/",
           "https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf",
           "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/",
-          "https://www.cfr.org/interactive/cyber-operations/turla"
+          "https://www.cfr.org/interactive/cyber-operations/turla",
+          "https://www.bleepingcomputer.com/news/security/turla-outlook-backdoor-uses-clever-tactics-for-stealth-and-persistence/"
         ],
         "synonyms": [
           "Turla",
@@ -5714,5 +5715,5 @@
       "uuid": "abd89986-b1b0-11e8-b857-efe290264006"
     }
   ],
-  "version": 57
+  "version": 58
 }

From 3f22dbd17d3c1bc657378129f7c8c6dfb75124dc Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Wed, 19 Sep 2018 15:06:43 +0200
Subject: [PATCH 3/3] add notpetya and update jadeRAT

---
 clusters/rat.json  | 16 +++++++++++++---
 clusters/tool.json | 32 +++++++++++++++++++++++++++++++-
 2 files changed, 44 insertions(+), 4 deletions(-)

diff --git a/clusters/rat.json b/clusters/rat.json
index a603c7a6..f8024508 100644
--- a/clusters/rat.json
+++ b/clusters/rat.json
@@ -20,10 +20,20 @@
       "value": "TeamViewer"
     },
     {
-      "description": "JadeRAT is just one example of numerous mobile surveillanceware families we've seen in recent months, indicating that actors are continuing to incorporate mobile tools in their attack chains.",
+      "description": "JadeRAT is just one example of numerous mobile surveillanceware families we've seen in recent months, indicating that actors are continuing to incorporate mobile tools in their attack chains. Threat actor, using a tool called JadeRAT, targets the mobile phones of ethnic minorities in China, notably Uighurs, for the purpose of espionage.   ",
       "meta": {
         "refs": [
-          "https://blog.lookout.com/mobile-threat-jaderat"
+          "https://blog.lookout.com/mobile-threat-jaderat",
+          "https://www.cfr.org/interactive/cyber-operations/jaderat"
+        ],
+        "cfr-suspected-victims": [
+          "Ethnic minorities in China"
+        ],
+        "cfr-suspected-state-sponsor": "China",
+        "cfr-type-of-incident": "Espionage",
+        "cfr-target-category": [
+          "Government",
+          "Civil society"
         ]
       },
       "uuid": "1cc8963b-5ad4-4e19-8e9a-57b0ff1ef926",
@@ -2914,5 +2924,5 @@
       "value": "Hallaj PRO RAT"
     }
   ],
-  "version": 14
+  "version": 15
 }
diff --git a/clusters/tool.json b/clusters/tool.json
index c6a7dc8c..1cbeff9e 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -5747,13 +5747,43 @@
     },
     {
       "value": "MagentoCore Malware",
-      "description":"A Dutch security researcher has lifted the veil on a massive website hacking campaign that has infected 7,339 Magento stores with a script that collects payment card data from people shopping on the sites.\nThe script is what industry experts call a \"payment card scraper\" or \"skimmer.\" Hackers breach sites and modify their source code to load the script along with its legitimate files.\nThe script usually loads on store checkout pages and secretly records payment card details entered in payment forms, data that it later sends to a server under the hacker's control.",
+      "description": "A Dutch security researcher has lifted the veil on a massive website hacking campaign that has infected 7,339 Magento stores with a script that collects payment card data from people shopping on the sites.\nThe script is what industry experts call a \"payment card scraper\" or \"skimmer.\" Hackers breach sites and modify their source code to load the script along with its legitimate files.\nThe script usually loads on store checkout pages and secretly records payment card details entered in payment forms, data that it later sends to a server under the hacker's control.",
       "meta": {
         "refs": [
           "https://www.bleepingcomputer.com/news/security/magentocore-malware-found-on-7-339-magento-stores/"
         ]
       },
       "uuid": "df05f528-bb57-11e8-9fd4-8320e14151f2"
+    },
+    {
+      "value": "NotPetya",
+      "description": "Threat actors deploy a tool, called NotPetya, with the purpose of encrypting data on victims' machines and rendering it unusable. The malware was spread through tax software that companies and individuals require for filing taxes in Ukraine. Australia, Estonia, Denmark, Lithuania, Ukraine, the United Kingdom, and the United States issued statements attributing NotPetya to Russian state-sponsored actors. In June 2018, the United States sanctioned Russian organizations believed to have assisted the Russian state-sponsored actors with the operation.",
+      "meta": {
+        "refs": [
+          "https://www.cfr.org/interactive/cyber-operations/notpetya"
+        ],
+        "synonyms": [
+          "Not Petya"
+        ],
+        "cfr-suspected-victims": [
+          "Rosneft",
+          "Cie de Saint-Gobain",
+          "Mondelez",
+          "The government of Ukraine",
+          "WPP Plc.",
+          "SNCF",
+          "Port of Rosario",
+          "Maersk",
+          "Merck",
+          "Kyivenergo"
+        ],
+        "cfr-suspected-state-sponsor": "Russian Federation",
+        "cfr-type-of-incident": "Data destruction",
+        "cfr-target-category": [
+          "Government",
+          "Private sector"
+        ]
+      }
     }
   ],
   "version": 88