From 880c74f469667ddb81a773a5631bc6c389ec894e Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Thu, 9 Nov 2017 09:25:16 +0100
Subject: [PATCH] add ALMA Communicator

---
 clusters/tool.json | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/clusters/tool.json b/clusters/tool.json
index 8da1a550..9e40b3c1 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -3011,6 +3011,15 @@
           "https://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/"
         ]
       }
+    },
+    {
+      "value": "ALMA Communicator",
+      "description": "The ALMA Communicator Trojan is a backdoor Trojan that uses DNS tunneling exclusively to receive commands from the adversary and to exfiltrate data. This Trojan specifically reads in a configuration from the cfg file that was initially created by the Clayslide delivery document. ALMA does not have an internal configuration, so the Trojan does not function without the cfg file created by the delivery document.",
+      "meta": {
+        "refs": [
+          "https://researchcenter.paloaltonetworks.com/2017/11/unit42-oilrig-deploys-alma-communicator-dns-tunneling-trojan/"
+        ]
+      }
     }
   ]
 }