Greenbug

Greenbug is an Iranian threat actor associated with espionage and credential theft activity. Reporting cited in the content links Greenbug to operations against organizations in South Asia’s telecommunications sector, to infrastructure and domain registrations impersonating Israeli high-tech and cybersecurity companies, and to activity connected to Saudi organizations in the context of Shamoon-related attacks. Researchers assessed Greenbug as a possible collaborator supporting Shamoon by stealing user credentials ahead of destructive attacks. Greenbug is associated with the ISMdoor/Ismdoor malware family and a remote access Trojan referred to in the content as Ism.exe/ISMAgent. The malware evolved across multiple versions, with later versions adding keylogging, Powercat-based shell access, and Mimikatz execution. Reported capabilities include self-update, self-removal, configuration retrieval, command execution, collection of extensive host and network information, enumeration of security products via WMI, credential theft, and deployment or execution of supporting tools such as WinIt.exe, Mimikatz, and PowerShell UAC-bypass scripts including Invoke-BypassUAC and Invoke-PsUACme. Greenbug used both HTTP- and DNS-based command and control. HTTP activity included communication with update.winappupdater.com over paths such as /Home/CC and /Home/CR, with additional referenced URIs /Home/SCV, /Home/BM, and /Home/AV. Later tradecraft shifted to covert DNS tunneling. The content states ISMAgent/Ismdoor used DNS AAAA queries and, in some reporting, DNS TXT records to create a bidirectional C2 channel for command delivery and data exfiltration. The DNS-based channel used specially crafted query names, IPv6 responses, and session identifiers, and was described as rare, covert, and suited to long-term operations. Infrastructure linked to Greenbug included command-and-control domains such as thetareysecurityupdate[.]com and securepackupdater[.]com, as well as a broader cluster of lookalike domains impersonating Israeli companies and one Saudi company. Published linked domains included outbrainsecupdater[.]com, securelogicupdater[.]com, wixwixwix[.]com, biocatchsecurity[.]com, corticasecurity[.]com, covertixsecurity[.]com, arbescurity[.]com, ymaaz[.]com, winsecupdater[.]com, dnsupdater[.]com, winscripts[.]net, allsecpackupdater[.]com, lbolbo[.]com, oospoosp[.]com, osposposp[.]com, znazna[.]com, mbsmbs[.]com, benyaminsecupdater[.]com, and ntpupdateserver[.]com. The content also notes overlap or linkage in reporting between ISMAgent/ISMDoor and OilRig DNS-tunneling tradecraft, including a statement that ISMAgent used a DNS tunneling protocol very similar to ISMDoor. However, only the directly stated association in the content is that Greenbug is linked to ISMDoor/ISMAgent.