v13.1 having Duplicated G0097 and S0302 spanning both [enterprise-attack and mobile-attack] Stix JSON files

[DrSnowbird]

1.) In Release v13.1 : "external_id": "G0097" -- appearing in both "x_mitre_domains": "mobile-attack" and "enerprise-attack"

mobile-attack-13.1.json 17685: "external_id": "G0097", 17687: "url": "https://attack.mitre.org/groups/G0097" 17697: "description": "Bouncing Golf is a cyberespionage campaign targeting Middle Eastern countries.(Citation: Trend Micro Bouncing Golf 2019)", 21073: "description": "GolfSpy is Android spyware deployed by the group Bouncing Golf.(Citation: Trend Micro Bouncing Golf 2019)", 59771: "description": "Bouncing Golf delivered GolfSpy via a hosted application binary advertised on social media.(Citation: Trend Micro Bouncing Golf 2019) ", 63828: "description": "Bouncing Golf distributed malware as repackaged legitimate applications, with the malicious code in the com.golf package.(Citation: Trend Micro Bouncing Golf 2019)"

enterprise-attack-13.1.json 692360: "external_id": "G0097", 692362: "url": "https://attack.mitre.org/groups/G0097" 692372: "description": "Bouncing Golf is a cyberespionage campaign targeting Middle Eastern countries.(Citation: Trend Micro Bouncing Golf 2019)",

2.) In Release v13.1 : "external_id": "S0302" -- appearing in both "x_mitre_domains": "mobile-attack" and "enerprise-attack"

mobile-attack-13.1.json 19550: "description": "Twitoor is a dropper application capable of receiving commands from social media.(Citation: ESET-Twitoor)", 19570: "url": "https://attack.mitre.org/software/S0302", 19571: "external_id": "S0302" 38696: "description": "Twitoor can hide its presence on the system.(Citation: ESET-Twitoor)", 50166: "description": "Twitoor encrypts its C2 communication.(Citation: ESET-Twitoor)", 54579: "description": "Twitoor can be controlled via Twitter.(Citation: ESET-Twitoor)", 61597: "description": "Twitoor can install attacker-specified applications.(Citation: ESET-Twitoor)", 66798: "description": "Twitoor uses Twitter for command and control.(Citation: ESET-Twitoor)",

enterprise-attack-13.1.json 691943: "description": "Twitoor is a dropper application capable of receiving commands from social media.(Citation: ESET-Twitoor)", 691963: "url": "https://attack.mitre.org/software/S0302", 691964: "external_id": "S0302" 692181: "description": "Twitoor uses Twitter for command and control.(Citation: ESET-Twitoor)",

[ElJocko]

These objects (G0097 and S0302) are both mobile objects and should only appear in the Mobile collection bundle. They are included in the Enterprise collection bundle because:

• They were inadvertently included in the Enterprise v7.0 bundle
• The script that we use to generate the current STIX 2.1 collection bundles has a step where it checks older versions of the collection bundle, looking for objects that are present in a an older version but missing from the current version, and adding them to the current version if found
• In general, a missing object indicates an error--published objects should be deprecated, not deleted, and this step of the bundle generation process is designed to address any such errors. However, these objects (G0097 and S0302) present a different situation, and one that the bundle generation script doesn't handle correctly

We'll review the bundle generation script and make a change so that these objects are not included in the Enterprise v15.0 collection bundle.