This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Detecting ISR variants using RSA NetWitness

AhmedSonbol1
Employee
Employee
‎2016-12-07 10:07 AM

ISR is a password stealer that has been spreading through phishing attacks. The malware targets different browsers and programs in order to steal the victim passwords. In this blog post we will discuss how to detect ISR traffic using RSA NetWitness.

 

ISR uploads the stolen data to compromised websites as shown in the screenshot below

 

ISR-1.png

 

The unique user-agent string used in this HTTP GET request is common among ISR variants:

 

ISR-2.png

 

Assuming the appropriate meta keys are enabled, the following query can be used to detect ISR network activity:

            service = 80 && client = ‘HardCore Software For : Public’

 

More information about ISR can be found on Intel Security blog. Scan results for an ISR binary can be found here.

 

All the IOCs from those sessions were added to the following feeds on Live:

  • RSA FirstWatch Command and Control Domains
  • RSA FirstWatch Command and Control IPs

To find those IOCs using RSA NetWitness, please refer to this post.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.