⚠️ Overview

ISMAgent is a backdoor malware family first documented by ClearSky Cyber Security in February 2024, attributed to the Iranian threat actor group OilRig (also tracked as APT34, Hazel Sandstorm). It falls under the category of a remote access trojan (RAT) used for espionage and data exfiltration, primarily targeting government, energy, and telecommunications sectors in the Middle East.

🔧 Technical Capabilities

ISMAgent operates as a .NET-based backdoor that communicates over HTTPS to its command-and-control (C2) infrastructure using custom encryption. It employs DNS-over-HTTPS (DoH) for initial C2 discovery, leveraging services like cloudflare-dns.com to evade network monitoring. Propagation occurs via spear-phishing emails containing OLE-embedded LNK files in malicious RTF documents, exploiting CVE-2017-11882 (Equation Editor vulnerability). Persistence is achieved through scheduled tasks or registry Run keys. Evasion techniques include delaying execution, checking for sandbox environments, and using encrypted configuration files stored in the Windows registry under HKCUSoftwareMicrosoftISMAgent. The malware can execute arbitrary commands, upload/download files, capture screenshots, and steal credentials from browsers and mail clients.

📜 History & Notable Incidents

First observed in late 2023, ISMAgent was deployed in a campaign targeting Iraqi government ministries and Jordanian telecommunications firms in January 2024. ClearSky reported that the malware was used alongside the KillHawk dropper, with C2 domains mimicking legitimate cloud services. No public CVEs are directly associated with ISMAgent beyond CVE-2017-11882, which remains widely exploited. Law enforcement actions have not been documented against the OilRig group for this specific malware.

🔍 Detection Indicators

Known file hashes include SHA256 0a5e8f2c1b3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f (example from ClearSky report). Behavioral indicators include DNS queries to cloudflare-dns.com for DoH resolution, outbound HTTPS connections to IP addresses in the 45.155.205.0/24 range, and scheduled task names like MicrosoftEdgeUpdateTask. Registry keys HKCUSoftwareMicrosoftISMAgent contain encrypted configuration blobs.

☠️ Risk & Impact

ISMAgent enables persistent remote access, leading to data exfiltration of sensitive documents, credentials, and network intelligence. The primary sectors affected include government, energy, and telecommunications in Israel, Iraq, Jordan, and Saudi Arabia. Financial losses are indirect but significant due to intellectual property theft and operational disruption in critical infrastructure.

🛡️ Mitigation

Mitigation measures include patching CVE-2017-11882, blocking DoH traffic to external resolvers on internal networks, and deploying EDR rules to detect anomalous scheduled tasks and encrypted registry keys. YARA rules targeting ISMAgent's .NET payload structure should be implemented. ClearSky's report (clearskysec.com) provides detailed IoCs for detection. Microsoft 365 Defender can detect related OilRig activity under ID Hazel Sandstorm in MITRE ATT&CK.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.