From b50c8bd805c8d2a9bf933400bdfba33495b452d4 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Fri, 23 Nov 2018 10:38:36 +0100
Subject: [PATCH] add PNG Dropper

---
 clusters/threat-actor.json |  5 +++--
 clusters/tool.json         | 15 +++++++++++++++
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index ca89856..10db40c 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -2242,7 +2242,8 @@
           "https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf",
           "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/",
           "https://www.cfr.org/interactive/cyber-operations/turla",
-          "https://www.bleepingcomputer.com/news/security/turla-outlook-backdoor-uses-clever-tactics-for-stealth-and-persistence/"
+          "https://www.bleepingcomputer.com/news/security/turla-outlook-backdoor-uses-clever-tactics-for-stealth-and-persistence/",
+          "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/"
         ],
         "synonyms": [
           "Turla",
@@ -6029,5 +6030,5 @@
       "value": "INDRIK SPIDER"
     }
   ],
-  "version": 80
+  "version": 81
 }
diff --git a/clusters/tool.json b/clusters/tool.json
index d6e310b..234649c 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -7405,6 +7405,21 @@
       },
       "uuid": "1ac4a966-0c74-46d5-b7e1-a40f4c681bc8",
       "value": "China Chopper"
+    },
+    {
+      "description": "The PNG_dropper family primarily uses a modified version of the publicly available tool JPEGView.exe (version 1.0.32.1 – both x86 and x64 bit versions).  Carbon Black Threat Research also observed where PNG_dropper malware was seen compiled into a modified version of the 7-Zip File Manager Utility (version 9.36.0.0 – x64 bit). ",
+      "meta": {
+        "refs": [
+          "https://www.carbonblack.com/2017/08/18/threat-analysis-carbon-black-threat-research-dissects-png-dropper/",
+          "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/"
+        ],
+        "synonyms": [
+          "PNG_Dropper",
+          "PNGDropper"
+        ]
+      },
+      "uuid": "6ab71ed6-e5c7-4545-a46e-6445e78758ed",
+      "value": "PNG Dropper"
     }
   ],
   "version": 101