From ea68336b969559e01dbeba951837768721587d27 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Tue, 27 Aug 2019 08:28:58 +0200
Subject: [PATCH 1/3] add ref for Gamaredon

---
 clusters/threat-actor.json | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 31bdae9..4ebb4e1 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -4257,7 +4257,8 @@
           "http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution",
           "https://www.lookingglasscyber.com/wp-content/uploads/2015/08/Operation_Armageddon_Final.pdf",
           "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution/",
-          "https://attack.mitre.org/groups/G0047/"
+          "https://attack.mitre.org/groups/G0047/",
+          "https://github.com/StrangerealIntel/CyberThreatIntel/tree/master/Russia/APT/Gamaredon"
         ]
       },
       "related": [

From 395dd93e0f11e879f5f404d476eb91b2b3919c26 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Wed, 28 Aug 2019 15:40:03 +0200
Subject: [PATCH 2/3] add Asruex Backdoor

---
 clusters/backdoor.json     | 12 +++++++++++-
 clusters/threat-actor.json |  2 +-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/clusters/backdoor.json b/clusters/backdoor.json
index 4bb7a60..ac2cc9b 100644
--- a/clusters/backdoor.json
+++ b/clusters/backdoor.json
@@ -80,7 +80,17 @@
       ],
       "uuid": "a4757e11-0837-42c0-958a-7490cff58687",
       "value": "SLUB"
+    },
+    {
+      "description": "Since it first emerged in 2015, Asruex has been known for its backdoor capabilities and connection to the spyware DarkHotel. However, when we encountered Asruex in a PDF file, we found that a variant of the malware can also act as an infector particularly through the use of old vulnerabilities CVE-2012-0158 and CVE-2010-2883, which inject code in Word and PDF files respectively.",
+      "meta": {
+        "refs": [
+          "https://blog.trendmicro.com/trendlabs-security-intelligence/asruex-backdoor-variant-infects-word-documents-and-pdfs-through-old-ms-office-and-adobe-vulnerabilities/"
+        ]
+      },
+      "uuid": "b7ad60a0-d648-4775-adec-c78b1a92fc34",
+      "value": "Asruex"
     }
   ],
-  "version": 5
+  "version": 6
 }
diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 4ebb4e1..24eb9ea 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -7689,5 +7689,5 @@
       "value": "APT41"
     }
   ],
-  "version": 126
+  "version": 128
 }

From 8d78a2a108c78173cb6c02f374b3ed7a1f2e8988 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Thu, 29 Aug 2019 08:31:10 +0200
Subject: [PATCH 3/3] chg: [threat-actor] jq all

---
 clusters/threat-actor.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index d5a6142..7250d68 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -7644,13 +7644,13 @@
       "value": "TA428"
     },
     {
-      "uuid": "e1b95185-8db6-4f3c-9ffd-1749087d934a",
-      "value": "LYCEUM",
       "meta": {
         "refs": [
           "https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign"
         ]
-      }
+      },
+      "uuid": "e1b95185-8db6-4f3c-9ffd-1749087d934a",
+      "value": "LYCEUM"
     },
     {
       "description": "APT41 is a prolific cyber threat group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity potentially outside of state control.",