ISMDoor

Description

(Arbor) Ismdoor has an encrypted configuration that contains a primary and secondary C2 domain, various identifiers, timeouts, and flags. These values can be updated by later C2 commands. A substitution cipher is used to decrypt the configuration when it is needed. The character mapping has been consistent across samples and we have made available a Python snippet of it on Github.

Names

Name
ISMDoor

Category

Tools

Type

• Backdoor
• Tunneling

Information

• https://www.netscout.com/blog/asert/greenbugs-dns-isms

Malpedia

• https://malpedia.caad.fkie.fraunhofer.de/details/win.ismdoor

Alienvault Otx

• https://otx.alienvault.com/browse/pulses?q=tag:ismdoor

Other Information

Uuid

889bdc01-47e6-4026-ae68-abe9dc87404e

Last Card Change

2020-04-23