ISMInjector

ISMInjector is a type of malware, specifically a Trojan, known for injecting a Trojan into another process. It was used in a targeted attack on a Saudi Arabian technology company, delivering a variant of the ISMAgent backdoor as its payload. This attack was detailed in a blog by Palo Alto Networks, linking it possibly to the Greenbug threat group. The ISMInjector is obfuscated using the SmartAssembly .NET obfuscator created by red-gate.com, and upon its first execution, it copies itself to %localappdata%\srvBS.txt, enabling persistent access to the system. The ISMInjector uses a state machine model to create a remote process, inject its embedded payload, and then run the payload. Its functional code is split into two different embedded modules named Inner.dll and Joiner.dll. These work together to inject the embedded ISMAgent payload into another process. The main function within the ISMInjector assembly uses the Joiner module to construct the final payload and the Inner module to inject the final payload into a process. In addition to these features, it's possible that part of the ISMInjector was obfuscated by a crypter used by the threat actors to further complicate analysis. The payload delivered by this malware has been tracked as a new tool called ThreeDollars. Furthermore, the "servicereset.exe" file represents a new tool in the arsenal of OilRig, a notorious cyber threat group, which is also referred to as ISMInjector.