From 0843fdfb23ab7f3b2ed1711bc98bc04f26bfebbe Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Thu, 13 Sep 2018 09:03:41 +0200
Subject: [PATCH 1/4] adding and updating clusters

---
 clusters/botnet.json | 16 ++++++++++++++--
 clusters/tool.json   | 15 ++++++++++++++-
 2 files changed, 28 insertions(+), 3 deletions(-)

diff --git a/clusters/botnet.json b/clusters/botnet.json
index 243fa61..8033e87 100644
--- a/clusters/botnet.json
+++ b/clusters/botnet.json
@@ -579,7 +579,8 @@
       "meta": {
         "date": "August 2016",
         "refs": [
-          "https://en.wikipedia.org/wiki/Mirai_(malware)"
+          "https://en.wikipedia.org/wiki/Mirai_(malware)",
+          "https://researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/"
         ]
       },
       "related": [
@@ -800,7 +801,18 @@
       },
       "uuid": "07815089-e2c6-4084-9a62-3ece7210f33f",
       "value": "Bamital"
+    },
+    {
+      "value": "Gafgyt",
+      "description": "Linux.Gafgyt is a Trojan horse that opens a back door on the compromised computer and steals information.  The new Gafgyt version targets a newly disclosed vulnerability affecting older, unsupported versions of SonicWall’s Global Management System (GMS).",
+      "meta": {
+        "refs": [
+          "https://researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/",
+          "https://www.symantec.com/security-center/writeup/2014-100222-5658-99"
+        ]
+      },
+      "uuid": "40795af6-b721-11e8-9fcb-570c0b384135"
     }
   ],
-  "version": 9
+  "version": 10
 }
diff --git a/clusters/tool.json b/clusters/tool.json
index 151688b..950ef71 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -5731,7 +5731,20 @@
         ]
       },
       "uuid": "69ed8a69-8b33-4195-9b21-a1f4cd76acde"
+    },
+    {
+      "value": "Sirefef",
+      "description": "This family of malware uses stealth to hide its presence on your PC. Trojans in this family can do different things, including: -Downloading and running other files -Contacting remote hosts -Disabling security features\nMembers of the family can also change search results, which can generate money for the hackers who use Sirefef.",
+      "meta": {
+        "refs": [
+          "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32%2Fsirefef"
+        ],
+        "synonyms": [
+          "Win32/Sirefef"
+        ]
+      },
+      "uuid": "641464a6-b690-11e8-976e-bffc9a17c6a4"
     }
   ],
-  "version": 86
+  "version": 87
 }

From 17d39594451c6e5e864d3f627717988c5dec5dd0 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Thu, 13 Sep 2018 11:34:57 +0200
Subject: [PATCH 2/4] add Crypt0saur ransomware

---
 clusters/ransomware.json | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/clusters/ransomware.json b/clusters/ransomware.json
index 9fe0606..764a72e 100644
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@@ -10554,7 +10554,11 @@
         ]
       },
       "uuid": "df025902-b29e-11e8-a2ab-739167419c52"
+    },
+    {
+      "value": "Crypt0saur",
+      "uuid": "32406292-b738-11e8-ab97-1f674b130624"
     }
   ],
-  "version": 32
+  "version": 33
 }

From 1dcf2e50a77e48aa0145c11918cd956235682638 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Thu, 13 Sep 2018 12:33:19 +0200
Subject: [PATCH 3/4] add blacknurse

---
 clusters/branded_vulnerability.json | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/clusters/branded_vulnerability.json b/clusters/branded_vulnerability.json
index 1f036e1..9102535 100644
--- a/clusters/branded_vulnerability.json
+++ b/clusters/branded_vulnerability.json
@@ -147,7 +147,12 @@
       },
       "uuid": "e85e1270-eec5-4331-8004-a063125a54b4",
       "value": "ImageTragick"
+    },
+    {
+      "uuid": "3c2325e4-b740-11e8-9504-b32b4d974add",
+      "description": "Blacknurse is a low bandwidth DDoS attack involving ICMP Type 3 Code 3 packets causing high CPU loads first discovered in November 2016. The earliest samples we have seen supporting this DDoS method are from September 2017.",
+      "value": "Blacknurse"
     }
   ],
-  "version": 1
+  "version": 2
 }

From ff9409e1643dd1499e3efd32b01c016f1c9c4ac3 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Thu, 13 Sep 2018 12:42:01 +0200
Subject: [PATCH 4/4] add blacknurse logo

---
 clusters/branded_vulnerability.json | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/clusters/branded_vulnerability.json b/clusters/branded_vulnerability.json
index 9102535..f3729e1 100644
--- a/clusters/branded_vulnerability.json
+++ b/clusters/branded_vulnerability.json
@@ -149,6 +149,11 @@
       "value": "ImageTragick"
     },
     {
+      "meta": {
+        "logo": [
+          "http://blacknurse.dk/____impro/1/onewebmedia/blacknurse2.png?etag=W%2F%2214e7-5761287d%22&sourceContentType=image%2Fpng&ignoreAspectRatio&resize=200%2B200&extract=0%2B40%2B200%2B114"
+        ]
+      },
       "uuid": "3c2325e4-b740-11e8-9504-b32b4d974add",
       "description": "Blacknurse is a low bandwidth DDoS attack involving ICMP Type 3 Code 3 packets causing high CPU loads first discovered in November 2016. The earliest samples we have seen supporting this DDoS method are from September 2017.",
       "value": "Blacknurse"