Skip to content

S0189 ISMInjector

ISMInjector is a Trojan used to install another OilRig backdoor, ISMAgent. 1

Item Value
ID S0189
Associated Names
Version 1.1
Created 16 January 2018
Last Modified 31 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1140 Deobfuscate/Decode Files or Information ISMInjector uses the certutil command to decode a payload file.1
enterprise T1027 Obfuscated Files or Information ISMInjector is obfuscated with the off-the-shelf SmartAssembly .NET obfuscator created by
enterprise T1055 Process Injection -
enterprise T1055.012 Process Hollowing ISMInjector hollows out a newly created process RegASM.exe and injects its payload into the hollowed process.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task ISMInjector creates scheduled tasks to establish persistence.1

Groups That Use This Software

ID Name References
G0049 OilRig 1