MalwareUsed by 1 actor

ISM RAT

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Greenbug

Yara Signature rule trojan_ismrat_gen { meta: description = "ISM RAT" ... } ... The second and 5.0.0 versions ... store the name of the executable Ism.exe in a structure.

via ncc group researchnccgroup.com

MITRE ATT&CK

Techniques & procedures

16 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

1 technique

T1059Command and Scripting InterpreterEvidence1

This is the instruction used to run commands and retrieve information about the infected machine. The script is formatted to show the different information gathered from a victim’s machine... cmd /a /c ipconfig /all ... net view ... netstat -ant ... systeminfo ... tasklist ... sc query ... WMIC ...

Privilege Escalation

1 technique

T1548.002Bypass User Account ControlEvidence1

seems to utilize a UAC bypass Powershell script called Invoke-BypassUAC and another called invoke-psuacme

Credential Access

2 techniques

T1003OS Credential DumpingEvidence1

Finally, the RAT includes an option to run Mimikatz

T1056.001KeyloggingEvidence1

the RAT contains the ability to execute a keylogger, which in version 5.0.0 is named WinIt.exe. The RAT can also remove the keylogger if instructed to

Discovery

9 techniques

T1007System Service DiscoveryEvidence1

cmd /a /c sc query >> "%localappdata%\MicrosoftWindowsjTmp765643.txt"

T1016System Network Configuration DiscoveryEvidence1

cmd /a /c ipconfig /all >>"%localappdata%\MicrosoftWindowsjTmp765643.txt"

T1033System Owner/User DiscoveryEvidence1

cmd /a /c echo %userdomain%\%username% >>"%localappdata%\MicrosoftWindowsjTmp765643.txt"

T1046Network Service DiscoveryEvidence1

cmd /a /c net view >>"%localappdata%\MicrosoftWindowsjTmp765643.txt"

T1049System Network Connections DiscoveryEvidence1

cmd /a /c netstat -ant >>"%localappdata%\MicrosoftWindowsjTmp765643.txt"

T1057Process DiscoveryEvidence1

cmd /a /c tasklist >> "%localappdata%\MicrosoftWindowsjTmp765643.txt" ... The RAT also leverages a command prompt for getting the process information from tasklist

T1082System Information DiscoveryEvidence1

The commands retrieve the following information: Username ... IP Configuration ... System Information ... Task list ... Services ... Security Information

T1087Account DiscoveryEvidence1

cmd /a /c net user administrator /domain >>"%localappdata%\MicrosoftWindowsjTmp765643.txt"

T1518Software DiscoveryEvidence1

cmd /u /c WMIC /Node:localhost /Namespace:root\SecurityCenter Path AntiVirusProduct Get /Format:List ... FirewallProduct ... AntiSpywareProduct

Collection

1 technique

T1056.001KeyloggingEvidence1

the RAT contains the ability to execute a keylogger, which in version 5.0.0 is named WinIt.exe. The RAT can also remove the keylogger if instructed to

Command and Control

3 techniques

T1071.001Web ProtocolsEvidence1

checking the connection by issuing a POST request to /Home/CC, under update.winappupdater.com ... The RAT communicates with the URL Home/CR for command retrieval ... Home/SCV is used for reporting back the result of a command post execution.

T1105Ingress Tool TransferEvidence1

As noted in McAfee’s blog post, the RAT offers the option to use Powercat. Powercat will connect to port 4444 on the remote server, allowing the user to obtain a shell on the infected machine and execute commands. Finally, the RAT includes an option to run Mimikatz

T1219Remote Access ToolsEvidence1

Powercat will connect to port 4444 on the remote server, allowing the user to obtain a shell on the infected machine and execute commands.

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

ncc group researchNews

Feb 17, 2017

ISM RAT

Remote access trojan used by Greenbug for command execution, system reconnaissance, keylogging, and C2 communications. Later versions added support for Powercat, Mimikatz, and execution of system information gathering commands.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping16

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.