Iranian Threat Agent Greenbug Impersonates Israeli High-Tech
and Cyber Security Companies – ClearSky Cyber Security
Published: 2017-10-24 · Archived: 2026-04-05 15:32:16 UTC
Iranian Threat Agent Greenbug  has been registering domains similar to those of Israeli High-Tech and Cyber
Security Companies.
On 15 October 2017 a sample of ISMdoor was submitted to VirusTotal from Iraq.  The sample name
was WmiPrv.tmp (f5ef3b060fb476253f9a7638f82940d9) and it had the following PDB string:
C:\Users\Void\Desktop\v 10.0.194\x64\Release\swchost.pdb
Two domains were used for command and control:
thetareysecurityupdate[.]com
securepackupdater[.]com
By pivoting off the registration details and servers data of the two domains we discovered others registered by the
threat agent. Eight contain the name of Israeli high-tech and cyber security companies and one of a Saudi Arabian
testing & commissioning of major electrical equipment company.
We estimate that the domains were registered in order to be used when targeting these companies, organisations
related to them, or unrelated third parties. However, we do not have any indication that the companies were
actually targeted or otherwise impacted.
Below are the malicious domains and the companies who’s names were used.
Malicious Domain Impersonated company
Registration
date
winsecupdater[.]com 11/6/2016
dnsupdater[.]com 12/4/2016
winscripts[.]net 3/4/2017
allsecpackupdater[.]com Uncertain 4/8/2017
lbolbo[.]com 4/8/2017
securepackupdater[.]com  Uncertain 4/8/2017
thetaraysecurityupdate[.]com
ThetaRay (thetaray.com) – An Israeli cyber security and
big data analytics company
4/8/2017
http://www.clearskysec.com/greenbug/
Page 1 of 4

ymaaz[.]com
YMAAZE (ymaaze.com) – A Saudi Arabian testing &
commissioning of major electrical equipment company
4/8/2017
oospoosp[.]com 8/9/2017
osposposp[.]com 8/9/2017
znazna[.]com 8/9/2017
mbsmbs[.]com 8/9/2017
outbrainsecupdater[.]com
Outbrain (outbrain.com)– A major Israeli online
advertising company
8/9/2017
securelogicupdater[.]com
SecureLogic (space-logic.com) – Likely an Israeli
marketer of airport security systems by the same name.
Other companies with the same name exist.
8/9/2017
benyaminsecupdater[.]com  Uncertain 8/9/2017
wixwixwix[.]com
Wix (wix.com) – A major Israeli cloud-based web
development platform
8/9/2017
biocatchsecurity[.]com
Biocatch (biocatch.com) – an Israeli company developing
technology for behavioral biometrics for fraud prevention
and detection
10/14/2017
corticasecurity[.]com
Cortica (cortica.com) – an Israeli company developing
Artificial Intelligence technology
10/14/2017
covertixsecurity[.]com
Covertix (covertix.com) – An Israeli data security
company
10/14/2017
arbescurity[.]com
Arbe Robotics (arberobotics.com)– An Israeli company
developing autonomous driving technology
10/14/2017
Indicators of compromise
Indicators of compromise are presented below and are available on PassiveTotal.
Domain allsecpackupdater[.]com
Domain znazna[.]com
Domain arbescurity[.]com
Domain benyaminsecupdater[.]com
http://www.clearskysec.com/greenbug/
Page 2 of 4

Domain biocatchsecurity[.]com
Domain corticasecurity[.]com
Domain covertixsecurity[.]com
Domain dnsupdater[.]com
Domain lbolbo[.]com
Domain mbsmbs[.]com
Domain ntpupdateserver[.]com
Domain oospoosp[.]com
Domain osposposp[.]com
Domain outbrainsecupdater[.]com
Domain securelogicupdater[.]com
Domain securepackupdater[.]com
Domain thetaraysecurityupdate[.]com
Domain winscripts[.]net
Domain winsecupdater[.]com
Domain wixwixwix[.]com
Domain ymaaz[.]com
Domain benyaminsecupdater[.]com
Filename WmiPrv.tmp
Hash 37d586727c1293d8a278b69d3f0c5c4b
Hash 82755bf7ad786d7bf8da00b6c19b6091
Hash ad5120454218bb483e0b8467feb3a20f
Hash e0175eecf8d31a6f32da076d22ecbdff
Hash f5ef3b060fb476253f9a7638f82940d9
IP 151.80.113.150
IP 151.80.221.23
IP 217.182.244.254
http://www.clearskysec.com/greenbug/
Page 3 of 4

IP 46.105.130.98
IP 5.39.31.91
IP 80.82.66.164
SSLCertificate 3b0b85ea32cab82eaf4249c04c05bdfce5b6074ca076fedf87dbea6b28fab99d
The Maltego graph below depicts the relationship among the indicators (click to enlarge):
Update 2017-10-25 – three hashes removed from IOC list
The following hashes were mistakenly included in the IOC list and have been removed, as they are unrelated to
the campaign:
c594b52ec8922a1e980a2ea31b1d1157
179cb8839e9ee8e9e6665b0986bf7811
d30c4df6de21275ae69a4754fc2372ef
Source: http://www.clearskysec.com/greenbug/
http://www.clearskysec.com/greenbug/
Page 4 of 4