Ahmed Sonbol

Detecting ISR variants using RSA NetWitness

Blog Post created by Ahmed Sonbol Employee on Dec 7, 2016

ISR is a password stealer that has been spreading through phishing attacks. The malware targets different browsers and programs in order to steal the victim passwords. In this blog post we will discuss how to detect ISR traffic using RSA NetWitness.

 

ISR uploads the stolen data to compromised websites as shown in the screenshot below

 

 

The unique user-agent string used in this HTTP GET request is common among ISR variants:

 

 

Assuming the appropriate meta keys are enabled, the following query can be used to detect ISR network activity:

            service = 80 && client = ‘HardCore Software For : Public’

 

More information about ISR can be found on Intel Security blog. Scan results for an ISR binary can be found here.

 

All the IOCs from those sessions were added to the following feeds on Live:

  • RSA FirstWatch Command and Control Domains
  • RSA FirstWatch Command and Control IPs

To find those IOCs using RSA NetWitness, please refer to this post.

Outcomes