Iranian Threat Agent Greenbug has been registering domains similar to those of Israeli High-Tech and Cyber Security Companies.
On 15 October 2017 a sample of ISMdoor was submitted to VirusTotal from Iraq. The sample name was WmiPrv.tmp (f5ef3b060fb476253f9a7638f82940d9) and it had the following PDB string:
Two domains were used for command and control:
By pivoting off the registration details and servers data of the two domains we discovered others registered by the threat agent. Eight contain the name of Israeli high-tech and cyber security companies and one of a Saudi Arabian testing & commissioning of major electrical equipment company.
We estimate that the domains were registered in order to be used when targeting these companies, organisations related to them, or unrelated third parties. However, we do not have any indication that the companies were actually targeted or otherwise impacted.
Below are the malicious domains and the companies who’s names were used.
|Malicious Domain||Impersonated company||Registration date|
|thetaraysecurityupdate[.]com||ThetaRay (thetaray.com) – An Israeli cyber security and big data analytics company||4/8/2017|
|ymaaz[.]com||YMAAZE (ymaaze.com) – A Saudi Arabian testing & commissioning of major electrical equipment company||4/8/2017|
|outbrainsecupdater[.]com||Outbrain (outbrain.com)– A major Israeli online advertising company||8/9/2017|
|securelogicupdater[.]com||SecureLogic (space-logic.com) – Likely an Israeli marketer of airport security systems by the same name. Other companies with the same name exist.||8/9/2017|
|wixwixwix[.]com||Wix (wix.com) – A major Israeli cloud-based web development platform||8/9/2017|
|biocatchsecurity[.]com||Biocatch (biocatch.com) – an Israeli company developing technology for behavioral biometrics for fraud prevention and detection||10/14/2017|
|corticasecurity[.]com||Cortica (cortica.com) – an Israeli company developing Artificial Intelligence technology||10/14/2017|
|covertixsecurity[.]com||Covertix (covertix.com) – An Israeli data security company||10/14/2017|
|arbescurity[.]com||Arbe Robotics (arberobotics.com)– An Israeli company developing autonomous driving technology||10/14/2017|
Indicators of compromise
Indicators of compromise are presented below and are available on PassiveTotal.
The Maltego graph below depicts the relationship among the indicators (click to enlarge):
Update 2017-10-25 – three hashes removed from IOC list
The following hashes were mistakenly included in the IOC list and have been removed, as they are unrelated to the campaign: