Ahmed Sonbol

Detecting Ismdoor variants using RSA NetWitness

Blog Post created by Ahmed Sonbol Employee on Feb 3, 2017

Ismdoor is a remote access Trojan used by the Greenbug cyberespionage group against different organizations in the Middle East. In addition to collecting data from an infected system, it has the ability to download and install binaries. In this blog post, we will shed some light on its network activity and show how to detect it using RSA NetWitness.


After infecting a system, the malware reaches out to its C2 server as follows:



Some Ismdoor binaries use a different filename to check the connection with the server:



If the response from the server is ‘Ok’, the malware knows that it can start receiving commands from the server so it sends another POST request:



In this case Ismdoor will execute the systeminfo command on the infected system to collect its information. It saves the command output to a temp file ‘test.txt’ in C:\Users\<user>\AppData\Local\Microsoft\Windows\TmpFiles. The content of the text file is obfuscated, saved to another temp file in the same directory. The obfuscated data is submitted to the server and both files are deleted.



The URL is not the same across Ismdoor variants:



Based on those network artifacts and assuming that the appropriate meta keys are enabled, two different queries can be used to detect Ismdoor network activity:


  • First to detect the check-in you can use:

    service = 80 && action = 'post' && referer !exists && directory = '//home/' && client = 'winhttpclient'

  • Second to detect the C2 activity you can use:

    service = 80 && action = 'post' && referer !exists && query begins 'commandid=cmdresult='


For more information on Greenbug, please check Symantec blog here. Scan results for Ismdoor variants can be found here and here.


All the IOC from those HTTP sessions were added to the following RSA FirstWatch Live feeds:

  • RSA FirstWatch APT Threat Domains
  • RSA FirstWatch APT Threat IPs

If threat.desc meta key is enabled then you can use the following query:
   threat.desc = ‘apt-Ismdoor-c2’