From cddfd5fcd18e410eee7fc6bdea405af656e68ab6 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Fri, 11 Jan 2019 09:53:08 +0100
Subject: [PATCH] TA505 threat actorand affiliates malwares

---
 clusters/backdoor.json     | 12 +++++++++++-
 clusters/rat.json          | 12 +++++++++++-
 clusters/threat-actor.json | 13 ++++++++++++-
 3 files changed, 34 insertions(+), 3 deletions(-)

diff --git a/clusters/backdoor.json b/clusters/backdoor.json
index 8518a70..b1deff9 100644
--- a/clusters/backdoor.json
+++ b/clusters/backdoor.json
@@ -41,7 +41,17 @@
       },
       "uuid": "2bb165dc-9f93-11e8-ae64-d3dbab0dd786",
       "value": "Rosenbridge"
+    },
+    {
+      "description": "The purpose of the macro was to download and execute a variant of ServHelper that set up reverse SSH tunnels that enabled access to the infected host through the Remote Desktop Protocol (RDP) port 3389.\n\n\"Once ServHelper establishes remote desktop access, the malware contains functionality for the threat actor to “hijack” legitimate user accounts or their web browser profiles and use them as they see fit,\" researchers from Proofpoint explain in an analysis released today.\n\nThe other ServHelper variant does not include the tunneling and hijacking capabilities and functions only as a downloader for the FlawedGrace RAT.",
+      "meta": {
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/new-servhelper-backdoor-and-flawedgrace-rat-pushed-by-necurs-botnet/"
+        ]
+      },
+      "uuid": "8b50360c-4d16-4f52-be75-e74c27f533df",
+      "value": "ServHelper"
     }
   ],
-  "version": 3
+  "version": 4
 }
diff --git a/clusters/rat.json b/clusters/rat.json
index d641060..92bc2dc 100644
--- a/clusters/rat.json
+++ b/clusters/rat.json
@@ -3298,7 +3298,17 @@
       },
       "uuid": "ef9f1592-0186-4f5d-a8ea-6c10450d2219",
       "value": "BONDUPDATER"
+    },
+    {
+      "description": "Proofpoint also point out that FlawedGrace is a full-featured RAT written in C++ and that it is a very large program that \"extensive use of object-oriented and multithreaded programming techniques. \"As a consequence, getting familiar with its internal structure takes a lot of time and is far from a simple task.",
+      "meta": {
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/new-servhelper-backdoor-and-flawedgrace-rat-pushed-by-necurs-botnet/"
+        ]
+      },
+      "uuid": "428c8288-6f65-453f-bfa2-4b519d08f8e9",
+      "value": "FlawedGrace"
     }
   ],
-  "version": 23
+  "version": 24
 }
diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 3508411..7e5b280 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -6126,7 +6126,18 @@
       },
       "uuid": "b06c3af1-0243-4428-88da-b3451c345e1e",
       "value": "Operation Sharpshooter"
+    },
+    {
+      "description": "TA505, the name given by Proofpoint, has been in the cybercrime business for at least four years. This is the group behind the infamous Dridex banking trojan and Locky ransomware, delivered through malicious email campaigns via Necurs botnet. Other malware associated with TA505 include Philadelphia and GlobeImposter ransomware families.",
+      "meta": {
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/ta505-group-adopts-new-servhelper-backdoor-and-flawedgrace-rat/",
+          "https://www.proofpoint.com/sites/default/files/ta505_timeline_final4_0.png"
+        ]
+      },
+      "uuid": "03c80674-35f8-4fe0-be2b-226ed0fcd69f",
+      "value": "TA505"
     }
   ],
-  "version": 84
+  "version": 85
 }