From d020efd276db943f2344b8e533974b94253becd3 Mon Sep 17 00:00:00 2001
From: Delta-Sierra <deborah.servili@gmail.com>
Date: Tue, 15 Nov 2022 11:57:10 +0100
Subject: [PATCH] add raspberry Robin worm & others

---
 clusters/banker.json       |  8 +++--
 clusters/malpedia.json     |  3 +-
 clusters/ransomware.json   |  3 +-
 clusters/rat.json          |  7 ++++
 clusters/threat-actor.json | 23 ++++++++++++
 clusters/tool.json         | 73 ++++++++++++++++++++++++++++++++++++--
 6 files changed, 111 insertions(+), 6 deletions(-)

diff --git a/clusters/banker.json b/clusters/banker.json
index 3cbacec0..38a2f191 100644
--- a/clusters/banker.json
+++ b/clusters/banker.json
@@ -890,7 +890,11 @@
         "refs": [
           "https://www.bleepingcomputer.com/news/security/new-icedid-banking-trojan-discovered/",
           "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/",
-          "http://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html"
+          "http://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html",
+          "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/"
+        ],
+        "synonyms": [
+          "BokBot"
         ]
       },
       "related": [
@@ -1193,5 +1197,5 @@
       "value": "Dark Tequila"
     }
   ],
-  "version": 16
+  "version": 17
 }
diff --git a/clusters/malpedia.json b/clusters/malpedia.json
index 6c50ff22..3cfe1566 100644
--- a/clusters/malpedia.json
+++ b/clusters/malpedia.json
@@ -7315,7 +7315,8 @@
           "https://killingthebear.jorgetesta.tech/actors/evil-corp",
           "https://experience.mandiant.com/trending-evil/p/1",
           "https://www.lac.co.jp/lacwatch/report/20220407_002923.html",
-          "https://thehackernews.com/2022/07/microsoft-links-raspberry-robin-usb.html?_m=3n%2e009a%2e2800%2ejp0ao0cjb8%2e1shm"
+          "https://thehackernews.com/2022/07/microsoft-links-raspberry-robin-usb.html?_m=3n%2e009a%2e2800%2ejp0ao0cjb8%2e1shm",
+          "https://redcanary.com/threat-detection-report/threats/socgholish/"
         ],
         "synonyms": [
           "FakeUpdate",
diff --git a/clusters/ransomware.json b/clusters/ransomware.json
index eca2ed9d..6cf16240 100644
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@@ -14017,7 +14017,8 @@
           ".Clop2"
         ],
         "refs": [
-          "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf"
+          "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf",
+          "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/"
         ]
       },
       "uuid": "21b349c3-ede2-4e11-abda-1444eb272eff",
diff --git a/clusters/rat.json b/clusters/rat.json
index c87ed04e..8e340bb1 100644
--- a/clusters/rat.json
+++ b/clusters/rat.json
@@ -3216,6 +3216,13 @@
             "estimative-language:likelihood-probability=\"likely\""
           ],
           "type": "similar"
+        },
+        {
+          "dest-uuid": "ad6d0074-476e-4c05-b0d9-79404f71bbba",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "similar"
         }
       ],
       "uuid": "3c1003a2-8364-467a-b9b8-fcc19724a9b5",
diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index b4923fb4..f8bcc41e 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -9884,6 +9884,29 @@
       },
       "uuid": "6a83b2bf-0c51-4c9b-89b0-35df7cab1dd5",
       "value": "APT-Q-12"
+    },
+    {
+      "description": "GOLD PRELUDE is a financially motivated cybercriminal threat group that operates the SocGholish (aka FAKEUPDATES) malware distribution network. GOLD PRELUDE operates a large global network of compromised websites, frequently running vulnerable content management systems (CMS), that redirect into a malicious traffic distribution system (TDS). The TDS, which researchers at Avast have named Parrot TDS, uses opaque criteria to select victims to serve a fake browser update page. These pages, which are customized to the specific visiting browser software, download the JavaScript-based SocGholish payload frequently embedded within a compressed archive.",
+      "meta": {
+        "refs": [
+          "https://www.secureworks.com/research/threat-profiles/gold-prelude"
+        ],
+        "synonyms": [
+          "TA569",
+          "UNC1543"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "cd32b19e-c365-4efc-9998-548e50e04a4c",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "uses"
+        }
+      ],
+      "uuid": "8134c96d-d6ed-49cc-99d6-fe74c0636387",
+      "value": "GOLD PRELUDE"
     }
   ],
   "version": 250
diff --git a/clusters/tool.json b/clusters/tool.json
index 40047698..bdf8e233 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -8575,7 +8575,8 @@
       "description": "BumbleBee is a modular backdoor that comprises two applications, a server and a client application (a master and slaver application, respectively in the malware’s jargon). Once the client application is deployed on the target computer (these are commonly local government devices), threat actors can control the machine using the server module. Let us take a deeper look into this backdoor.",
       "meta": {
         "refs": [
-          "https://www.trendmicro.com/en_us/research/22/i/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolv.html"
+          "https://www.trendmicro.com/en_us/research/22/i/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolv.html",
+          "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/"
         ],
         "type": [
           "backdoor"
@@ -8612,7 +8613,75 @@
       },
       "uuid": "e10ff67f-8b52-4648-9217-da53ff7d52f9",
       "value": "SharPyShell"
+    },
+    {
+      "description": "Raspberry Robin has evolved from being a widely distributed worm with no observed post-infection actions when Red Canary first reported it in May 2022, to one of the largest malware distribution platforms currently active. ",
+      "meta": {
+        "refs": [
+          "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/"
+        ],
+        "type": "Worm"
+      },
+      "uuid": "70dc3e92-9b3b-4fc1-abd2-d98985d83225",
+      "value": "Raspberry Robin"
+    },
+    {
+      "description": "The Fauppod malware delivers a JavaScript backdoor to gain unauthorized access to the target system and deploy additional malware.",
+      "meta": {
+        "refs": [
+          "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/"
+        ]
+      },
+      "uuid": "9f0224f6-dd46-4a23-a3fd-d295abae5f93",
+      "value": "Fauppod"
+    },
+    {
+      "description": "This threat takes multiple screenshots of your desktop. It saves all screenshots in a .dat file that becomes a collection of bitmap images. According to Group-IB, FlawedAmmyy.downloader and Truebot would have been developed by the same individual",
+      "meta": {
+        "refs": [
+          "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/"
+        ],
+        "synonyms": [
+          "Silence"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "ad6d0074-476e-4c05-b0d9-79404f71bbba",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "similar"
+        }
+      ],
+      "uuid": "ad6d0074-476e-4c05-b0d9-79404f71bbba",
+      "value": "Truebot"
+    },
+    {
+      "description": "FAKEUPDATES is a downloader written in JavaScript that communicates via HTTP. Supported payload types include executables and JavaScript. It writes the payloads to disk prior to launching them. FAKEUPDATES has led to further compromise via additional malware families that include CHTHONIC, DRIDEX, EMPIRE, KOADIC, DOPPELPAYMER, and AZORULT.\nFAKEUPDATES has been heavily used by UNC1543,a financially motivated group.\n\nSocGholish, first appearing in late 2017 and rising to prominence in mid-2018, has been used to describe both the web drive-by download network used to infect victims and the JavaScript-based loader malware that targets Windows systems.",
+      "meta": {
+        "refs": [
+          "https://www.malwarebytes.com/blog/news/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms",
+          "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/",
+          "https://www.secureworks.com/research/threat-profiles/gold-prelude"
+        ],
+        "synonyms": [
+          "FakeUpdate",
+          "SocGholish"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "8134c96d-d6ed-49cc-99d6-fe74c0636387",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "used-by"
+        }
+      ],
+      "uuid": "cd32b19e-c365-4efc-9998-548e50e04a4c",
+      "value": "FakeUpdates"
     }
   ],
-  "version": 156
+  "version": 157
 }