ISMDoor
ISMdoor is a credential-stealing remote access trojan (RAT) associated in the provided reporting with the Iranian threat actor Greenbug and also listed as part of the OilRig malware arsenal. Arbor Networks assessed that Greenbug may have used ISMdoor to steal credentials on behalf of Shamoon operators, particularly against Saudi targets ahead of destructive Shamoon attacks. Reported capabilities include remote command execution, credential theft, likely Mimikatz execution, keylogging, and data exfiltration. Newer versions were described as shifting from HTTP-based command and control to a covert DNS-based channel, using DNS TXT records and AAAA/IPv6-related queries to create a bidirectional C2 path. In this scheme, data to the C2 is sent via specially crafted query names and data from the C2 is returned via IPv6 addresses; the bot drives all communications. Arbor reported commands including "CreateMimi1Bat," likely used to execute Mimikatz via PowerShell scripts ccd61.ps1 and Invoke-bypassuac, and "ExecuteKL," likely used to run a keylogger via Winit.exe and return a "Start Keylog Done" message to C2. The malware was also referenced in connection with watering-hole activity and 64-bit malware. A sample named WmiPrv.tmp with hash f5ef3b060fb476253f9a7638f82940d9 was submitted to VirusTotal from Iraq on 2017-10-15 and contained the PDB path C:\Users\Void\Desktop\v 10.0.194\x64\Release\swchost.pdb. Reported C2 domains included thetareysecurityupdate[.]com and securepackupdater[.]com. Additional reported infrastructure and related indicators included domains such as outbrainsecupdater[.]com, securelogicupdater[.]com, wixwixwix[.]com, biocatchsecurity[.]com, corticasecurity[.]com, covertixsecurity[.]com, arbescurity[.]com, ymaaz[.]com, winsecupdater[.]com, dnsupdater[.]com, winscripts[.]net, allsecpackupdater[.]com, lbolbo[.]com, oospoosp[.]com, osposposp[.]com, znazna[.]com, mbsmbs[.]com, benyaminsecupdater[.]com, and ntpupdateserver[.]com; IPs 151.80.113.150, 151.80.221.23, 217.182.244.254, 46.105.130.98, 5.39.31.91, and 80.82.66.164; hashes 37d586727c1293d8a278b69d3f0c5c4b, 82755bf7ad786d7bf8da00b6c19b6091, ad5120454218bb483e0b8467feb3a20f, e0175eecf8d31a6f32da076d22ecbdff, and f5ef3b060fb476253f9a7638f82940d9; and SSL certificate fingerprint 3b0b85ea32cab82eaf4249c04c05bdfce5b6074ca076fedf87dbea6b28fab99d.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
On 15 October 2017 a sample of ISMdoor was submitted to VirusTotal from Iraq. The sample name was WmiPrv.tmp (f5ef3b060fb476253f9a7638f82940d9) and it had the following PDB string: C:\Users\Void\Desktop\v 10.0.194\x64\Release\swchost.pdb
CHRYSENE ... CAPABILITIES: Watering holes, 64-bit malware, covert C2 via IPv6 DNS, ISMDOOR
Techniques & procedures
6 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 technique"...likely executes Mimikatz (executes PowerShell scripts: ccd61.ps1 and Invoke-bypassuac)..." and "adversaries use DNS queries to carry out malicious PowerShell commands"
Credential Access
2 techniques"One is 'CreateMimi1Bat'; which likely executes Mimikatz (executes PowerShell scripts: ccd61.ps1 and Invoke-bypassuac)."
Collection
1 techniqueCommand and Control
2 techniquesTwo domains were used for command and control: thetareysecurityupdate[.]com securepackupdater[.]com
"Greenbug has shifted away from HTTP-based C2 communication with Ismdoor. It’s now relying on a new DNS-based attack technique... using DNS TXT record queries and responses to create a bidirectional command and control channel." Also: "custom covert channel using AAAA DNS queries for IPv6 addresses."
Exfiltration
1 technique"Schwarz said using this technique, data is also be exfiltrated from the machines as well."
IOCs tracked for this family
22 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Backdoor malware used by OilRig for persistent access and command and control.
ISMdoor is discussed as malware used by Iranian threat agent Greenbug, with samples submitted to VirusTotal and command-and-control domains tied to a broader domain-registration campaign impersonating Israeli high-tech and cybersecurity companies.
Credential-stealing RAT with command-and-control shifted from HTTP to a covert DNS-based channel (AAAA queries / IPv6 responses), enabling command execution and data exfiltration; includes commands likely to run Mimikatz and a keylogger.
ISMDOOR is malware associated with CHRYSENE and used in IT compromise, information gathering, and reconnaissance against industrial organizations.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.