Merge pull request #304 from Delta-Sierra/master

add PNG Dropper

clusters/threat-actor.json

@@ -2242,7 +2242,8 @@
           "https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf",
           "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/",
           "https://www.cfr.org/interactive/cyber-operations/turla",
-          "https://www.bleepingcomputer.com/news/security/turla-outlook-backdoor-uses-clever-tactics-for-stealth-and-persistence/"
+          "https://www.bleepingcomputer.com/news/security/turla-outlook-backdoor-uses-clever-tactics-for-stealth-and-persistence/",
+          "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/"
         ],
         "synonyms": [
           "Turla",
@@ -6029,5 +6030,5 @@
       "value": "INDRIK SPIDER"
     }
   ],
-  "version": 80
+  "version": 81
 }

clusters/tool.json

@@ -7405,7 +7405,22 @@
       },
       "uuid": "1ac4a966-0c74-46d5-b7e1-a40f4c681bc8",
       "value": "China Chopper"
+    },
+    {
+      "description": "The PNG_dropper family primarily uses a modified version of the publicly available tool JPEGView.exe (version 1.0.32.1 – both x86 and x64 bit versions).  Carbon Black Threat Research also observed where PNG_dropper malware was seen compiled into a modified version of the 7-Zip File Manager Utility (version 9.36.0.0 – x64 bit). ",
+      "meta": {
+        "refs": [
+          "https://www.carbonblack.com/2017/08/18/threat-analysis-carbon-black-threat-research-dissects-png-dropper/",
+          "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/"
+        ],
+        "synonyms": [
+          "PNG_Dropper",
+          "PNGDropper"
+        ]
+      },
+      "uuid": "6ab71ed6-e5c7-4545-a46e-6445e78758ed",
+      "value": "PNG Dropper"
     }
   ],
-  "version": 101
+  "version": 102
 }