Greenbug  (Back to overview)

Greenbug was discovered targeting a range of organizations in the Middle East including companies in the aviation, energy, government, investment, and education sectors.

---

Associated Families

---

References

2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42 @online{42:20220718:evasive:ccfb062, author = {Unit 42}, title = {{Evasive Serpens}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/evasive-serpens/}, language = {English}, urldate = {2022-07-29} } Evasive Serpens TwoFace ISMAgent ISMDoor OopsIE RDAT OilRig

2020-05-19 ⋅ Symantec ⋅ Critical Attack Discovery and Intelligence Team @online{team:20200519:sophisticated:023b1bd, author = {Critical Attack Discovery and Intelligence Team}, title = {{Sophisticated Espionage Group Turns Attention to Telecom Providers in South Asia}}, date = {2020-05-19}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia}, language = {English}, urldate = {2020-05-20} } Sophisticated Espionage Group Turns Attention to Telecom Providers in South Asia ISMAgent ISMDoor

2019-08-22 ⋅ Cyware ⋅ Cyware @online{cyware:20190822:apt34:3439fde, author = {Cyware}, title = {{APT34: The Helix Kitten Cybercriminal Group Loves to Meow Middle Eastern and International Organizations}}, date = {2019-08-22}, organization = {Cyware}, url = {https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae}, language = {English}, urldate = {2021-06-29} } APT34: The Helix Kitten Cybercriminal Group Loves to Meow Middle Eastern and International Organizations TwoFace BONDUPDATER POWRUNER QUADAGENT Helminth ISMAgent Karkoff LONGWATCH OopsIE PICKPOCKET RGDoor VALUEVAULT

2019-04-16 ⋅ Robert Falcone @online{falcone:20190416:dns:fed953e, author = {Robert Falcone}, title = {{DNS Tunneling in the Wild: Overview of OilRig’s DNS Tunneling}}, date = {2019-04-16}, url = {https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/}, language = {English}, urldate = {2019-12-03} } DNS Tunneling in the Wild: Overview of OilRig’s DNS Tunneling BONDUPDATER QUADAGENT Alma Communicator Helminth ISMAgent

2017-10-24 ⋅ ClearSky ⋅ ClearSky Research Team @online{team:20171024:iranian:44f6acc, author = {ClearSky Research Team}, title = {{Iranian Threat Agent Greenbug Impersonates Israeli High-Tech and Cyber Security Companies}}, date = {2017-10-24}, organization = {ClearSky}, url = {https://www.clearskysec.com/greenbug/}, language = {English}, urldate = {2019-12-02} } Iranian Threat Agent Greenbug Impersonates Israeli High-Tech and Cyber Security Companies Greenbug

2017-10-24 ⋅ ClearSky ⋅ ClearSky Research Team @online{team:20171024:iranian:f9fddd8, author = {ClearSky Research Team}, title = {{Iranian Threat Agent Greenbug Impersonates Israeli High-Tech and Cyber Security Companies}}, date = {2017-10-24}, organization = {ClearSky}, url = {http://www.clearskysec.com/greenbug/}, language = {English}, urldate = {2020-01-13} } Iranian Threat Agent Greenbug Impersonates Israeli High-Tech and Cyber Security Companies ISMDoor

2017-08-28 ⋅ ClearSky ⋅ ClearSky Research Team @online{team:20170828:recent:fab1e53, author = {ClearSky Research Team}, title = {{Recent ISMAgent Samples and Infrastructure by Iranian Threat Group GreenBug}}, date = {2017-08-28}, organization = {ClearSky}, url = {http://www.clearskysec.com/ismagent/}, language = {English}, urldate = {2019-12-19} } Recent ISMAgent Samples and Infrastructure by Iranian Threat Group GreenBug ISMAgent

2017-07-27 ⋅ Palo Alto Networks Unit 42 ⋅ Robert Falcone, Bryan Lee @online{falcone:20170727:oilrig:36046ef, author = {Robert Falcone and Bryan Lee}, title = {{OilRig Uses ISMDoor Variant; Possibly Linked to Greenbug Threat Group}}, date = {2017-07-27}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/}, language = {English}, urldate = {2019-11-16} } OilRig Uses ISMDoor Variant; Possibly Linked to Greenbug Threat Group Greenbug

2017-05-02 ⋅ Threatpost ⋅ Tom Spring @online{spring:20170502:shamoon:56ac4ae, author = {Tom Spring}, title = {{Shamoon Collaborator Greenbug Adopts New Communication Tool}}, date = {2017-05-02}, organization = {Threatpost}, url = {https://threatpost.com/shamoon-collaborator-greenbug-adopts-new-communication-tool/125383/}, language = {English}, urldate = {2019-12-10} } Shamoon Collaborator Greenbug Adopts New Communication Tool Greenbug

2017-01-23 ⋅ Symantec ⋅ Symantec Security Response @online{response:20170123:greenbug:a118a76, author = {Symantec Security Response}, title = {{Greenbug cyberespionage group targeting Middle East, possible links to Shamoon}}, date = {2017-01-23}, organization = {Symantec}, url = {https://web.archive.org/web/20190331181353/https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon}, language = {English}, urldate = {2020-04-21} } Greenbug cyberespionage group targeting Middle East, possible links to Shamoon DistTrack ISMDoor Greenbug

2017-01-23 ⋅ Symantec ⋅ Symantec Security Response @online{response:20170123:greenbug:96eab4c, author = {Symantec Security Response}, title = {{Greenbug cyberespionage group targeting Middle East, possible links to Shamoon}}, date = {2017-01-23}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon}, language = {English}, urldate = {2020-01-13} } Greenbug cyberespionage group targeting Middle East, possible links to Shamoon DistTrack ISMDoor Greenbug

---

Credits: MISP Project