ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > List all tools > List all groups using tool ISMAgent

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: ISMAgent

NamesISMAgent
CategoryMalware
TypeBackdoor
Description(Palo Alto) On May 1, 2017, Arbor Networks published research on ISMDoor using DNS tunneling to communicate with its C2 server, which is nearly identical to the DNS tunneling the payload of this attack carries out. Due to considerable differences and evidence of potentially different authors between the previous ISMDoor samples and this newly discovered variant, we are tracking this new variant as ISMAgent.

The ISMAgent tool comes with a default configuration that specifies the C2 domain and the number of minutes between further attempts to execute the tool. However, an actor can use command line arguments to create a new ISMAgent sample that is configured with a specified C2 domain and a specified number of minutes to automatically execute the Trojan.
Information<https://unit42.paloaltonetworks.com/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/>
<https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/>
<http://www.clearskysec.com/ismagent/>
Malpedia<https://malpedia.caad.fkie.fraunhofer.de/details/win.ismagent>
AlienVault OTX<https://otx.alienvault.com/browse/pulses?q=tag:ISMAgent>

Last change to this tool card: 13 May 2020

Download this tool card in JSON format

All groups using tool ISMAgent

ChangedNameCountryObserved

APT groups

 OilRig, APT 34, Helix Kitten, ChryseneIran2014-Jan 2021X

1 group listed (1 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key