From d6b16b2177de11fb8404c18d5b074967718149da Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Fri, 22 Dec 2017 10:46:18 +0100
Subject: [PATCH] update Sofacy tools

---
 clusters/exploit-kit.json |  8 ++++++--
 clusters/tool.json        | 21 +++++++++++++++------
 2 files changed, 21 insertions(+), 8 deletions(-)

diff --git a/clusters/exploit-kit.json b/clusters/exploit-kit.json
index ae32539..187b2fd 100644
--- a/clusters/exploit-kit.json
+++ b/clusters/exploit-kit.json
@@ -37,11 +37,12 @@
     },
     {
       "value": "DealersChoice",
-      "description": "DealersChoice is a Flash Player Exploit platform triggered by RTF",
+      "description": "DealersChoice is a Flash Player Exploit platform triggered by RTF.\n\nDealersChoice is a platform that generates malicious documents containing embedded Adobe Flash files. Palo Alto Network researchers analyzed two variants — variant A, which is a standalone variant including Flash exploit code packaged with a payload, and variant B, which is a modular variant that loads  exploit code on demand. This new component appeared in 2016 and is still in use.",
       "meta": {
         "refs": [
           "http://researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/",
-          "http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-ramps-up-spear-phishing-before-zero-days-get-patched/"
+          "http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-ramps-up-spear-phishing-before-zero-days-get-patched/",
+          "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/"
         ],
         "synonyms": [
           "Sednit RTF EK"
@@ -142,6 +143,9 @@
           "http://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/",
           "http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/"
         ],
+        "synonyms":[
+          "SedKit"
+        ],
         "status": "Active"
       }
     },
diff --git a/clusters/tool.json b/clusters/tool.json
index 19fb3a3..fc9f543 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -677,7 +677,7 @@
           "NETUI"
         ]
       },
-      "description": "backdoor used by apt28",
+      "description": "backdoor used by apt28\n\nSedreco serves as a spying backdoor; its functionalities can be extended with dynamically loaded plugins. It is made up of two distinct components: a dropper and the persistent payload installed by this dropper. We have not seen this component since April 2016.",
       "value": "EVILTOSS"
     },
     {
@@ -1213,10 +1213,11 @@
         ],
         "refs": [
           "http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/",
-          "https://app.box.com/s/l7n781ig6n8wlf1aff5hgwbh4qoi5jqq"
+          "https://app.box.com/s/l7n781ig6n8wlf1aff5hgwbh4qoi5jqq",
+          "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/"
         ]
       },
-      "description": "This backdoor component is known to have a modular structure featuring various espionage functionalities, such as key-logging, screen grabbing and file exfiltration. This component is available for Osx, Windows, Linux and iOS operating systems.",
+      "description": "This backdoor component is known to have a modular structure featuring various espionage functionalities, such as key-logging, screen grabbing and file exfiltration. This component is available for Osx, Windows, Linux and iOS operating systems.\n\nXagent is a modular backdoor with spying functionalities such as keystroke logging and file exfiltration. Xagent is the group’s flagship backdoor and heavily used in their operations. Early versions for Linux and Windows were seen years ago, then in 2015 an iOS version came out. One year later, an Android version was discovered and finally, in the beginning of 2017, an Xagent sample for OS X was described.",
       "value": "X-Agent"
     },
     {
@@ -3229,11 +3230,19 @@
       }
     },
     {
-      "value": "Sedkit",
-      "description": "Sedkit is the Sednit exploit-kit; it’s used only for targeted attacks, starting with targeted phishing emails with URLs that spoof legitimate URLs. October 2016 is the last time we’re aware that Sedkit was used.",
+      "value": "USBStealer",
+      "description": "USBStealer serves as a network tool that extracts sensitive information from air-gapped networks. We have not seen this component since mid 2015.",
+      "meta": {
+        "refs": [
+          "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/"
+        ]
+      }
+    },
+    {
+      "value": "Downdelph",
+      "description": "Downdelph is a lightweight downloader developed in the Delphi programming language. As we already mentioned in our white paper, its period of activity was from November 2013 to September 2015 and there have been no new variants seen since.",
       "meta": {
         "refs": [
-          "https://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/",
           "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/"
         ]
       }