ISR is a password stealer that has been spreading through phishing attacks. The malware targets different browsers and programs in order to steal the victim passwords. In this blog post we will discuss how to detect ISR traffic using RSA NetWitness.
ISR uploads the stolen data to compromised websites as shown in the screenshot below
The unique user-agent string used in this HTTP GET request is common among ISR variants:
Assuming the appropriate meta keys are enabled, the following query can be used to detect ISR network activity:
service = 80 && client = ‘HardCore Software For : Public’
All the IOCs from those sessions were added to the following feeds on Live:
- RSA FirstWatch Command and Control Domains
- RSA FirstWatch Command and Control IPs
To find those IOCs using RSA NetWitness, please refer to this post.