Ahmed Sonbol

Malspam delivers ISR Stealer 2-13-2017

Blog Post created by Ahmed Sonbol Employee on Feb 14, 2018

Malspam activity was observed on February 13th delivering a variant of ISR password stealer. ISR was reportedly used in spear phishing attacks against food and machine industries. In this blog post we will discuss the network activity using RSA NetWitness Packets.


The delivery document Payment receipt.doc is crafted to exploit CVE-2017-11882. You can learn more about the vulnerability in this FirstWatch threat advisory.



Opening the malicious document with an un-patched Microsoft Word application led to the following network activity:





Once 99v.exe executes on the victim machine, it starts to communicate with what looks to be a compromised Wordpress website transeagleperu[.]com:



Since the User-Agent string used in this session is common to ISR variants, it was tagged with the value known bad ua credentialleak under Indicators of Compromise meta key:



It is worth mentioning that the delivery domain menorasarainc[.]info has been active over the past week:



Payment receipt.doc (SHA256):

  • 383521ecc7aa09050e82498e10c756c866b0ce47702d77c6a5a4a7da98517146


99v.exe (SHA256):

  • 29eb49ad843aa992abff873d9b611a62248b2b8b4fbfa900bb7712f6aa6cda65


All the IOC from those HTTP sessions were added to RSA FirstWatch Command and Control Domains on Live with the following meta:

  • threat.source = ‘rsa-firstwatch’
  • threat.category = ‘malspam’
  • threat.description = ‘delivery-domain’