Merge pull request #48 from Delta-Sierra/master

add Cardinal RAT

clusters/tool.json

@@ -2729,8 +2729,17 @@
           "https://www.fireeye.com/blog/threat-research/2010/10/feodosoff-a-new-botnet-on-the-rise.html"
         ]
       },
-      "description": "Unfortunately, it is time to meet 'Feodo'. Since august of this year when FireEye's MPS devices detected this malware in the field, we have been monitoring this banking trojan very closely. In many ways, this malware looks similar to other famous banking trojans like Zbot and SpyEye.  Although my analysis says that this malware is not a toolkit and is in the hands of a single criminal group. ",
+      "description": "Unfortunately, it is time to meet 'Feodo'. Since august of this year when FireEye's MPS devices detected this malware in the field, we have been monitoring this banking trojan very closely. In many ways, this malware looks similar to other famous banking trojans like Zbot and SpyEye.  Although my analysis says that this malware is not a toolkit and is in the hands of a single criminal group.",
       "value": "feodo"
+    },
+    {
+      "meta": {
+        "refs": [
+          "http://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/"
+        ]
+      },
+      "description": "Palo Alto Networks has discovered a previously unknown remote access Trojan (RAT) that has been active for over two years. It has a very low volume in this two-year period, totaling roughly 27 total samples. The malware is delivered via an innovative and unique technique: a downloader we are calling Carp uses malicious macros in Microsoft Excel documents to compile embedded C# (C Sharp) Programming Language source code into an executable that in turn is run to deploy the Cardinal RAT malware family. These malicious Excel files use a number of different lures, providing evidence of what attackers are using to entice victims into executing them.",
+      "value": "Cardinal RAT"
     }
   ],
   "version": 31,