[SERVICES](http://www.clearskysec.com/services/) [ABOUT](http://www.clearskysec.com/about/) [BLOG](http://www.clearskysec.com/blog/) [COLLABORATION](http://www.clearskysec.com/collaborate/)


# BLOG


[Clear Sky > Blog > Iranian Threat Agent Greenbug Impersonates Israeli High-Tech and Cyber Security](http://www.clearskysec.com/)

Companies


### Recent Posts


## Iranian Threat Agent Greenbug Impersonates Israeli

 High-Tech and Cyber Security Companies


By Clearsky October 24, 2017 [Campaigns](http://www.clearskysec.com/category/campaigns/)


[Iranian Threat Agent Greenbug has been registering domains similar to those of Israeli High-Tech and](http://www.clearskysec.com/ismagent/)

Cyber Security Companies.

[On 15 October 2017 a sample of ISMdoor was submitted to VirusTotal from Iraq. The sample name](https://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/)

was WmiPrv.tmp (f5ef3b060fb476253f9a7638f82940d9) and it had the following PDB string:

C:\Users\Void\Desktop\v 10.0.194\x64\Release\swchost.pdb

Two domains were used for command and control:

thetareysecurityupdate[.]com

securepackupdater[.]com

By pivoting off the registration details and servers data of the two domains we discovered others

registered by the threat agent. Eight contain the name of Israeli high-tech and cyber security companies

and one of a Saudi Arabian testing & commissioning of major electrical equipment company.

We estimate that the domains were registered in order to be used when targeting these companies,

organisations related to them, or unrelated third parties. However, we do not have any indication that the

companies were actually targeted or otherwise impacted.

Below are the malicious domains and the companies who’s names were used.


Iranian Threat Agent Greenbug Impersonates

Israeli High-Tech and Cyber Security Companies

Recent ISMAgent Samples and Infrastructure by

Iranian Threat Group GreenBug

[The Economy Behind Phishing Websites Creation](http://www.clearskysec.com/the-phishing-economy/)

Operation Wilted Tulip - Exposing a Cyber

Espionage Apparatus

[Recent Winnti Infrastructure and Samples](http://www.clearskysec.com/winnti/)


**Malicious Domain** **Impersonated**

**company**


**Registration**

**date**


winsecupdater[.]com 11/6/2016

dnsupdater[.]com 12/4/2016

winscripts[.]net 3/4/2017

**allsecpackupdater[.]com** Uncertain 4/8/2017

lbolbo[.]com 4/8/2017

**securepackupdater[.]com** Uncertain 4/8/2017


**thetaraysecurityupdate[.]com** **ThetaRay**

(thetaray.com) – An

Israeli cyber security

and big data

analytics company

**ymaaz[.]com** **YMAAZE**

(ymaaze.com) – A

Saudi Arabian

testing &

commissioning of

major electrical

equipment company


4/8/2017

4/8/2017


oospoosp[.]com 8/9/2017

osposposp[.]com 8/9/2017

znazna[.]com 8/9/2017


-----

major Israeli online

advertising

company

**securelogicupdater[.]com** **SecureLogic (space-**

logic.com) – Likely

an Israeli marketer

of airport security

systems by the

same name. Other

companies with the

same name exist.


8/9/2017


**benyaminsecupdater[.]com** Uncertain 8/9/2017


**wixwixwix[.]com** **Wix (wix.com) – A**

major Israeli cloud
based web

development

platform

**biocatchsecurity[.]com** **Biocatch**

(biocatch.com) – an

Israeli company

developing

technology for

behavioral

biometrics for fraud

prevention and

detection

**corticasecurity[.]com** **Cortica**

(cortica.com) – an

Israeli company

developing Arti�cial

Intelligence

technology

**covertixsecurity[.]com** **Covertix**

(covertix.com) – An

Israeli data security

company

**arbescurity[.]com** **Arbe Robotics**

(arberobotics.com)–

An Israeli company

developing

autonomous driving

technology

## Indicators of compromise


8/9/2017

10/14/2017

10/14/2017

10/14/2017

10/14/2017


[Indicators of compromise are presented below and are available on PassiveTotal.](https://community.riskiq.com/projects/08f78dc3-054a-493a-e20d-c73cb6958dcb)

Domain allsecpackupdater[.]com

Domain znazna[.]com

Domain arbescurity[.]com

Domain benyaminsecupdater[.]com

Domain biocatchsecurity[.]com

Domain corticasecurity[.]com

Domain covertixsecurity[.]com

Domain dnsupdater[.]com

Domain lbolbo[.]com

Domain mbsmbs[.]com

Domain ntpupdateserver[.]com


-----

Domain outbrainsecupdater[.]com

Domain securelogicupdater[.]com

Domain securepackupdater[.]com

Domain thetaraysecurityupdate[.]com

Domain winscripts[.]net

Domain winsecupdater[.]com

Domain wixwixwix[.]com

Domain ymaaz[.]com

Domain benyaminsecupdater[.]com

Filename WmiPrv.tmp

Hash 37d586727c1293d8a278b69d3f0c5c4b

Hash 82755bf7ad786d7bf8da00b6c19b6091

Hash ad5120454218bb483e0b8467feb3a20f

Hash e0175eecf8d31a6f32da076d22ecbdff

Hash f5ef3b060fb476253f9a7638f82940d9

IP 151.80.113.150

IP 151.80.221.23

IP 217.182.244.254

IP 46.105.130.98

IP 5.39.31.91

IP 80.82.66.164

SSLCerti�cate 3b0b85ea32cab82eaf4249c04c05bdfce5b6074ca076fedf87dbea6b28fab99d

The Maltego graph below depicts the relationship among the indicators (click to enlarge):

**Update 2017-10-25 – three hashes removed from IOC list**

The following hashes were mistakenly included in the IOC list and have been removed, as they are

unrelated to the campaign:

c594b52ec8922a1e980a2ea31b1d1157

179cb8839e9ee8e9e6665b0986bf7811

d30c4df6de21275ae69a4754fc2372ef


### ClearSky

 Ahead of the threat curve


-----

-----