SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ismdoor (Back to overview)

ISMDoor

Actor(s): Greenbug


There is no description at this point.

References
2020-05-19SymantecCritical Attack Discovery and Intelligence Team
@online{team:20200519:sophisticated:023b1bd, author = {Critical Attack Discovery and Intelligence Team}, title = {{Sophisticated Espionage Group Turns Attention to Telecom Providers in South Asia}}, date = {2020-05-19}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia}, language = {English}, urldate = {2020-05-20} } Sophisticated Espionage Group Turns Attention to Telecom Providers in South Asia
ISMAgent ISMDoor
2017-10-24ClearSkyClearSky Research Team
@online{team:20171024:iranian:f9fddd8, author = {ClearSky Research Team}, title = {{Iranian Threat Agent Greenbug Impersonates Israeli High-Tech and Cyber Security Companies}}, date = {2017-10-24}, organization = {ClearSky}, url = {http://www.clearskysec.com/greenbug/}, language = {English}, urldate = {2020-01-13} } Iranian Threat Agent Greenbug Impersonates Israeli High-Tech and Cyber Security Companies
ISMDoor
2017-01-23SymantecSymantec Security Response
@online{response:20170123:greenbug:96eab4c, author = {Symantec Security Response}, title = {{Greenbug cyberespionage group targeting Middle East, possible links to Shamoon}}, date = {2017-01-23}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon}, language = {English}, urldate = {2020-01-13} } Greenbug cyberespionage group targeting Middle East, possible links to Shamoon
DistTrack ISMDoor Greenbug
2017-01-23SymantecSymantec Security Response
@online{response:20170123:greenbug:a118a76, author = {Symantec Security Response}, title = {{Greenbug cyberespionage group targeting Middle East, possible links to Shamoon}}, date = {2017-01-23}, organization = {Symantec}, url = {https://web.archive.org/web/20190331181353/https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon}, language = {English}, urldate = {2020-04-21} } Greenbug cyberespionage group targeting Middle East, possible links to Shamoon
DistTrack ISMDoor Greenbug
Yara Rules
[TLP:WHITE] win_ismdoor_auto (20211008 | Detects win.ismdoor.)
rule win_ismdoor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.ismdoor."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ismdoor"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { eb05 c0e804 2401 84c0 0f94c3 }
            // n = 5, score = 400
            //   eb05                 | jmp                 7
            //   c0e804               | shr                 al, 4
            //   2401                 | and                 al, 1
            //   84c0                 | test                al, al
            //   0f94c3               | sete                bl

        $sequence_1 = { 0f57c0 f30f7f8424e0000000 4889bc24f0000000 41ffc7 44897c2420 }
            // n = 5, score = 300
            //   0f57c0               | mov                 ebp, dword ptr [esp + 0x58]
            //   f30f7f8424e0000000     | dec    eax
            //   4889bc24f0000000     | mov                 ebx, dword ptr [esp + 0x50]
            //   41ffc7               | inc                 ebp
            //   44897c2420           | xor                 edi, edi

        $sequence_2 = { e9???????? 488b8a30000000 e9???????? 488d8aa0010000 }
            // n = 4, score = 300
            //   e9????????           |                     
            //   488b8a30000000       | inc                 ecx
            //   e9????????           |                     
            //   488d8aa0010000       | movzx               eax, di

        $sequence_3 = { 49ffc0 7429 488bd3 488d4d70 e8???????? }
            // n = 5, score = 300
            //   49ffc0               | dec                 eax
            //   7429                 | mov                 eax, dword ptr [ecx + 0x40]
            //   488bd3               | xorps               xmm0, xmm0
            //   488d4d70             | movdqu              xmmword ptr [esp + 0xe0], xmm0
            //   e8????????           |                     

        $sequence_4 = { 4885c0 747e 4883f8ff 7606 4883c9ff }
            // n = 5, score = 300
            //   4885c0               | mov                 dword ptr [esp + 0x20], edi
            //   747e                 | dec                 eax
            //   4883f8ff             | mov                 ecx, dword ptr [edx + 0x30]
            //   7606                 | dec                 eax
            //   4883c9ff             | lea                 ecx, dword ptr [edx + 0x1a0]

        $sequence_5 = { 4c8b7c2420 4c8b742428 4c8b642430 488b742460 488b6c2458 488b5c2450 }
            // n = 6, score = 300
            //   4c8b7c2420           | dec                 esp
            //   4c8b742428           | mov                 edi, dword ptr [esp + 0x20]
            //   4c8b642430           | dec                 esp
            //   488b742460           | mov                 esi, dword ptr [esp + 0x28]
            //   488b6c2458           | dec                 esp
            //   488b5c2450           | mov                 esp, dword ptr [esp + 0x30]

        $sequence_6 = { 4533ff 410fb7c7 e9???????? 488b4140 }
            // n = 4, score = 300
            //   4533ff               | dec                 eax
            //   410fb7c7             | mov                 esi, dword ptr [esp + 0x60]
            //   e9????????           |                     
            //   488b4140             | dec                 eax

        $sequence_7 = { 488b7f30 eb34 83bff800000000 76d8 443b4624 }
            // n = 5, score = 300
            //   488b7f30             | dec                 eax
            //   eb34                 | mov                 dword ptr [esp + 0xf0], edi
            //   83bff800000000       | inc                 ecx
            //   76d8                 | inc                 edi
            //   443b4624             | inc                 esp

        $sequence_8 = { c745c400000000 c745fc00000000 837f1408 7202 }
            // n = 4, score = 100
            //   c745c400000000       | test                al, al
            //   c745fc00000000       | sete                bl
            //   837f1408             | xor                 al, al
            //   7202                 | jmp                 9

        $sequence_9 = { 8d45b7 c645fc1e 50 8d8decfdffff c645b733 }
            // n = 5, score = 100
            //   8d45b7               | jmp                 9
            //   c645fc1e             | shr                 al, 4
            //   50                   | and                 al, 1
            //   8d8decfdffff         | test                al, al
            //   c645b733             | push                dword ptr [ebp - 0x1134]

        $sequence_10 = { 83c40c 8d4c2410 c68424b000000006 e8???????? 83bc248400000008 8d442470 }
            // n = 6, score = 100
            //   83c40c               | shr                 al, 4
            //   8d4c2410             | and                 al, 1
            //   c68424b000000006     | test                al, al
            //   e8????????           |                     
            //   83bc248400000008     | jne                 6
            //   8d442470             | xor                 al, al

        $sequence_11 = { 8b7dec 8d8d30ffffff e8???????? 85c0 }
            // n = 4, score = 100
            //   8b7dec               | test                eax, eax
            //   8d8d30ffffff         | je                  0xba
            //   e8????????           |                     
            //   85c0                 | mov                 edx, dword ptr [ebp - 0x1058]

        $sequence_12 = { ff35???????? ff15???????? 8b8c24a8000000 64890d00000000 59 5f }
            // n = 6, score = 100
            //   ff35????????         |                     
            //   ff15????????         |                     
            //   8b8c24a8000000       | and                 al, 1
            //   64890d00000000       | test                al, al
            //   59                   | sete                bl
            //   5f                   | jmp                 7

        $sequence_13 = { ffb5cceeffff ff15???????? 85c0 0f84b2000000 8b95a8efffff 8b8dc8eeffff }
            // n = 6, score = 100
            //   ffb5cceeffff         | shr                 al, 4
            //   ff15????????         |                     
            //   85c0                 | and                 al, 1
            //   0f84b2000000         | test                al, al
            //   8b95a8efffff         | sete                bl
            //   8b8dc8eeffff         | shr                 al, 4

        $sequence_14 = { 8a80a01e4700 8803 43 41 898d74ffffff 8bcf }
            // n = 6, score = 100
            //   8a80a01e4700         | shr                 al, 4
            //   8803                 | and                 al, 1
            //   43                   | test                al, al
            //   41                   | jmp                 7
            //   898d74ffffff         | shr                 al, 4
            //   8bcf                 | and                 al, 1

    condition:
        7 of them and filesize < 1933312
}
[TLP:WHITE] win_ismdoor_w0   (20180301 | No description)
rule win_ismdoor_w0 {
	meta:
        author = "Florian Roth"
        reference = "https://goo.gl/urp4CD"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ismdoor"
        malpedia_version = "20180301"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $x1 = "cmd /u /c WMIC /Node:localhost /Namespace:\\\\root\\SecurityCenter" fullword ascii
        $x2 = "cmd /a /c net user administrator /domain >>" fullword ascii
        $x3 = "cmd /a /c netstat -ant >>\"%localappdata%\\Microsoft\\" fullword ascii
        $o1 = "========================== (Net User) ==========================" ascii fullword
    condition:
        1 of them
}
Download all Yara Rules