From bd3fce00e1caf7950cf577e5992635eaf97b1d07 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Mon, 25 Feb 2019 16:35:06 +0100
Subject: [PATCH] add Razdel

---
 clusters/android.json      | 15 +++++++++++++--
 clusters/threat-actor.json |  8 +++++---
 2 files changed, 18 insertions(+), 5 deletions(-)

diff --git a/clusters/android.json b/clusters/android.json
index b554a73..40ae255 100644
--- a/clusters/android.json
+++ b/clusters/android.json
@@ -269,7 +269,7 @@
       "description": "Vibleaker was an app available on the Google Play Store named Beaver Gang Counter that contained malicious code that after specific orders from its maker would scan the user's phone for the Viber app, and then steal photos and videos recorded or sent through the app.",
       "meta": {
         "refs": [
-          "http://news.softpedia.com/news/malicious-android-app-steals-viber-photos-and-videos-505758.shtml"
+          "http://news.softpedia.com/news/malicious-android-app-steals-viber-photos-and-BankBot-505758.shtml"
         ]
       },
       "uuid": "27354d65-ca90-4f73-b942-13046e61700c",
@@ -4642,7 +4642,18 @@
       },
       "uuid": "64ee0ae8-2e78-43bf-b81b-e7e5c2e30cd0",
       "value": "AndroidOS_HidenAd"
+    },
+    {
+      "description": "The Banking Trojan found in Google Play is identified as Razdel, a variant of BankBot mobile banking Trojan. This newly observed variant has taken mobile threats to the next level incorporating: Remote access Trojan functions, SMS interception, UI (User Interface) Overlay with masqueraded pages etc.",
+      "meta": {
+        "refs": [
+          "http://www.virusremovalguidelines.com/tag/what-is-bankbot",
+          "https://mobile.twitter.com/pr3wtd/status/1097477833625088000"
+        ]
+      },
+      "uuid": "aef548fb-76f5-4eb9-9942-f189cb0d16f6",
+      "value": "Razdel"
     }
   ],
-  "version": 18
+  "version": 19
 }
diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 1207015..3a0916f 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -3469,7 +3469,8 @@
       "meta": {
         "refs": [
           "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html",
-          "http://blog.vectranetworks.com/blog/moonlight-middle-east-targeted-attacks"
+          "http://blog.vectranetworks.com/blog/moonlight-middle-east-targeted-attacks",
+          "https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east/"
         ],
         "synonyms": [
           "Gaza Hackers Team",
@@ -3574,7 +3575,8 @@
       "meta": {
         "country": "IR",
         "refs": [
-          "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets"
+          "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets",
+          "https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions"
         ]
       },
       "uuid": "ddd95696-3d9a-4d0c-beec-a34d396182f3",
@@ -6387,5 +6389,5 @@
       "value": "STOLEN PENCIL"
     }
   ],
-  "version": 93
+  "version": 94
 }