ISM RAT
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Yara Signature rule trojan_ismrat_gen { meta: description = "ISM RAT" ... } ... The second and 5.0.0 versions ... store the name of the executable Ism.exe in a structure.
Techniques & procedures
16 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 techniqueThis is the instruction used to run commands and retrieve information about the infected machine. The script is formatted to show the different information gathered from a victim’s machine... cmd /a /c ipconfig /all ... net view ... netstat -ant ... systeminfo ... tasklist ... sc query ... WMIC ...
Privilege Escalation
1 techniqueseems to utilize a UAC bypass Powershell script called Invoke-BypassUAC and another called invoke-psuacme
Credential Access
2 techniquesFinally, the RAT includes an option to run Mimikatz
Discovery
9 techniquescmd /a /c sc query >> "%localappdata%\MicrosoftWindowsjTmp765643.txt"
cmd /a /c ipconfig /all >>"%localappdata%\MicrosoftWindowsjTmp765643.txt"
cmd /a /c echo %userdomain%\%username% >>"%localappdata%\MicrosoftWindowsjTmp765643.txt"
cmd /a /c net view >>"%localappdata%\MicrosoftWindowsjTmp765643.txt"
cmd /a /c netstat -ant >>"%localappdata%\MicrosoftWindowsjTmp765643.txt"
cmd /a /c tasklist >> "%localappdata%\MicrosoftWindowsjTmp765643.txt" ... The RAT also leverages a command prompt for getting the process information from tasklist
The commands retrieve the following information: Username ... IP Configuration ... System Information ... Task list ... Services ... Security Information
cmd /a /c net user administrator /domain >>"%localappdata%\MicrosoftWindowsjTmp765643.txt"
cmd /u /c WMIC /Node:localhost /Namespace:root\SecurityCenter Path AntiVirusProduct Get /Format:List ... FirewallProduct ... AntiSpywareProduct
Collection
1 techniqueCommand and Control
3 techniqueschecking the connection by issuing a POST request to /Home/CC, under update.winappupdater.com ... The RAT communicates with the URL Home/CR for command retrieval ... Home/SCV is used for reporting back the result of a command post execution.
As noted in McAfee’s blog post, the RAT offers the option to use Powercat. Powercat will connect to port 4444 on the remote server, allowing the user to obtain a shell on the infected machine and execute commands. Finally, the RAT includes an option to run Mimikatz
Powercat will connect to port 4444 on the remote server, allowing the user to obtain a shell on the infected machine and execute commands.
Recent activity
1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.