v13.1 having Duplicated G0097 and S0302 spanning both [enterprise-attack and mobile-attack] Stix JSON files

[DrSnowbird]

1.) In Release v13.1 : "external_id": "G0097" -- appearing in both "x_mitre_domains": "mobile-attack" and "enerprise-attack"

mobile-attack-13.1.json
17685: "external_id": "G0097",
17687: "url": "https://attack.mitre.org/groups/G0097"
17697: "description": "Bouncing Golf is a cyberespionage campaign targeting Middle Eastern countries.(Citation: Trend Micro Bouncing Golf 2019)",
21073: "description": "GolfSpy is Android spyware deployed by the group Bouncing Golf.(Citation: Trend Micro Bouncing Golf 2019)",
59771: "description": "Bouncing Golf delivered GolfSpy via a hosted application binary advertised on social media.(Citation: Trend Micro Bouncing Golf 2019) ",
63828: "description": "Bouncing Golf distributed malware as repackaged legitimate applications, with the malicious code in the com.golf package.(Citation: Trend Micro Bouncing Golf 2019)"

enterprise-attack-13.1.json
692360: "external_id": "G0097",
692362: "url": "https://attack.mitre.org/groups/G0097"
692372: "description": "Bouncing Golf is a cyberespionage campaign targeting Middle Eastern countries.(Citation: Trend Micro Bouncing Golf 2019)",

2.) In Release v13.1 : "external_id": "S0302" -- appearing in both "x_mitre_domains": "mobile-attack" and "enerprise-attack"

mobile-attack-13.1.json
19550: "description": "Twitoor is a dropper application capable of receiving commands from social media.(Citation: ESET-Twitoor)",
19570: "url": "https://attack.mitre.org/software/S0302",
19571: "external_id": "S0302"
38696: "description": "Twitoor can hide its presence on the system.(Citation: ESET-Twitoor)",
50166: "description": "Twitoor encrypts its C2 communication.(Citation: ESET-Twitoor)",
54579: "description": "Twitoor can be controlled via Twitter.(Citation: ESET-Twitoor)",
61597: "description": "Twitoor can install attacker-specified applications.(Citation: ESET-Twitoor)",
66798: "description": "Twitoor uses Twitter for command and control.(Citation: ESET-Twitoor)",

enterprise-attack-13.1.json
691943: "description": "Twitoor is a dropper application capable of receiving commands from social media.(Citation: ESET-Twitoor)",
691963: "url": "https://attack.mitre.org/software/S0302",
691964: "external_id": "S0302"
692181: "description": "Twitoor uses Twitter for command and control.(Citation: ESET-Twitoor)",

[ElJocko]

These objects (G0097 and S0302) are both mobile objects and should only appear in the Mobile collection bundle. They are included in the Enterprise collection bundle because:

• They were inadvertently included in the Enterprise v7.0 bundle
• The script that we use to generate the current STIX 2.1 collection bundles has a step where it checks older versions of the collection bundle, looking for objects that are present in a an older version but missing from the current version, and adding them to the current version if found
• In general, a missing object indicates an error--published objects should be deprecated, not deleted, and this step of the bundle generation process is designed to address any such errors. However, these objects (G0097 and S0302) present a different situation, and one that the bundle generation script doesn't handle correctly

We'll review the bundle generation script and make a change so that these objects are not included in the Enterprise v15.0 collection bundle.