From 5cac510818894891d5589586f555f42cd1461658 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Wed, 13 Dec 2017 14:57:38 +0100
Subject: [PATCH 1/2] update threat actor galaxy

---
 clusters/threat-actor.json | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 7d2d61b2..d5aeb11e 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -2230,6 +2230,17 @@
       },
       "description": "The MuddyWater attacks are primarily against Middle Eastern nations. However, we have also observed attacks against surrounding nations and beyond, including targets in India and the USA. MuddyWater attacks are characterized by the use of a slowly evolving PowerShell-based first stage backdoor we call “POWERSTATS”. Despite broad scrutiny and reports on MuddyWater attacks, the activity continues with only incremental changes to the tools and techniques.",
       "value": "MuddyWater"
+    },
+    {
+      "meta": {
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/moneytaker-hacker-group-steals-millions-from-us-and-russian-banks/",
+          "https://www.group-ib.com/resources/reports/money-taker.html",
+          "https://www.group-ib.com/blog/moneytaker"
+        ]
+      },
+      "description": "In less than two years, this group has conducted over 20 successful attacks on financial institutions and legal firms in the USA, UK and Russia. The group has primarily been targeting card processing systems, including the AWS CBR (Russian Interbank System) and purportedly SWIFT (US). Given the wide usage of STAR in LATAM, financial institutions in LATAM could have particular exposure to a potential interest from the MoneyTaker group.",
+      "value": "MoneyTaker"
     }
   ],
   "name": "Threat actor",
@@ -2244,5 +2255,5 @@
   ],
   "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.",
   "uuid": "7cdff317-a673-4474-84ec-4f1754947823",
-  "version": 29
+  "version": 30
 }

From e891373ce81289274b1835ccd6a1447815383ed7 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Wed, 13 Dec 2017 15:15:57 +0100
Subject: [PATCH 2/2] Add MoneyTaker

---
 clusters/tool.json | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/clusters/tool.json b/clusters/tool.json
index 35e9e986..ab009de1 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -10,7 +10,7 @@
   ],
   "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
   "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f",
-  "version": 40,
+  "version": 41,
   "values": [
     {
       "meta": {
@@ -3105,6 +3105,15 @@
           "https://www.bleepingcomputer.com/news/security/wp-vcd-wordpress-malware-spreads-via-nulled-wordpress-themes/"
         ]
       }
+    },
+    {
+      "value": "MoneyTaker 5.0",
+      "description": "malicious program for auto replacement of payment data in AWS CBR",
+      "meta": {
+        "refs": [
+          "https://www.group-ib.com/blog/moneytaker"
+        ]
+      }
     }
   ]
 }