S0189: ISMInjector
ISMInjector is a Trojan used to install another OilRig backdoor, ISMAgent. [1]
Analyst context for executives and security teams
ISMInjector matters because it is not described as a standalone business-disruption tool; it is a Windows Trojan used to install another OilRig backdoor, ISMAgent. For leaders, the practical risk is loader behavior: if early-stage malware succeeds, the organization may lose the chance to contain an intrusion before persistence, stealth, and follow-on access are established.
Executive priority
Prioritize validation of Windows endpoint visibility and response readiness for loader-style malware associated with OilRig. The ATT&CK relationships point to obfuscation, deobfuscation, scheduled tasks, and process hollowing, so executive questions should focus on whether SOC and IR teams can prove they collect the evidence needed to see persistence and stealth behaviors, not merely whether a malware name is blocked. This is especially relevant for organizations concerned with sectors and supply-chain trust relationships referenced in the related OilRig description.
Technical view
ATT&CK provides no dedicated detection text for ISMInjector, so defenders should validate coverage through the related behaviors: Windows scheduled task creation or modification, suspicious process creation patterns, process hollowing indicators, and file or payload obfuscation/deobfuscation activity. Because the object is a Windows malware entry with relationships to T1053.005, T1055.012, T1027, and T1140, detection engineering should map alerts and hunts to those behaviors rather than rely on the software name alone.
Likely telemetry
- Windows process creation and command-line telemetry
- Windows scheduled task creation, modification, and execution records
- Endpoint detection and response events for process injection or process hollowing behaviors
- File creation, modification, and execution metadata for suspicious or encoded payloads
- Script, utility, or application activity associated with decoding or deobfuscating files
Detection direction
- Confirm whether scheduled task monitoring covers both command-line and GUI/API-created tasks, because T1053.005 can occur through multiple Windows mechanisms.
- Tune detections around unusual parent-child process relationships, suspended process creation, memory replacement, or other process hollowing indicators associated with T1055.012.
- Do not depend only on static signatures; the related T1027 and T1140 behaviors indicate obfuscated content and decoding activity may be relevant to analysis and detection.
- Correlate endpoint alerts with persistence evidence and follow-on backdoor installation risk, since the official description says ISMInjector installs ISMAgent.
- Account for false positives from legitimate software installers, administrative scheduling, and encoded files by requiring context such as unusual execution location, rare task names, unexpected parents, or abnormal user/host patterns.
Mitigation priorities
- Ensure Windows endpoints are covered by logging and response tooling capable of capturing process, scheduled task, file, and memory-related evidence.
- Harden and monitor scheduled task creation and modification, especially on high-value systems and servers where unauthorized persistence would materially affect operations.
- Use application control, least privilege, and administrative hygiene to reduce opportunities for unauthorized execution and persistence.
- Maintain IR playbooks for loader-to-backdoor scenarios, including host isolation, persistence review, memory/process triage, and scoping for related OilRig-associated activity where locally evidenced.
- Use the ATT&CK relationships as control-validation test cases for SOC readiness rather than treating the malware family name as the primary control objective.
Analyst notes and limits
The supplied object identifies ISMInjector as a Windows Trojan used to install ISMAgent and shows a relationship where OilRig uses it. The most actionable defensive value comes from the related ATT&CK techniques: Obfuscated Files or Information, Scheduled Task, Process Hollowing, and Deobfuscate/Decode Files or Information. These relationships support behavior-based detection and response planning.
MITRE does not provide official detection guidance for this object, and tactics are not specified on the malware object itself. The assessment is therefore based on the official description, external references, and relationship context only. Local telemetry, malware samples, environment baselines, and incident evidence are required to determine actual exposure or detection coverage.
ISMInjector
ISMInjector is a Trojan used to install another OilRig backdoor, ISMAgent. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | ISMInjector uses the |
| Enterprise | T1027 | Obfuscated Files or Information | ISMInjector is obfuscated with the off-the-shelf SmartAssembly .NET obfuscator created by red-gate.com.CitationOilRig New Delivery Oct 2017 |
| Enterprise | T1055.012 | Process Hollowing Sub-technique | ISMInjector hollows out a newly created process RegASM.exe and injects its payload into the hollowed process.CitationOilRig New Delivery Oct 2017 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | ISMInjector creates scheduled tasks to establish persistence.CitationOilRig New Delivery Oct 2017 |
Groups, software, and campaigns
G0049: OilRig
OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.[1][2][3][4][5][6][7]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 78f8338f34f1… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
OilRig New Delivery Oct 2017
Falcone, R. and Lee, B. (2017, October 9). OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan. Retrieved January 8, 2018.
Open source URL -
[2]
ISMInjector
(Citation: OilRig New Delivery Oct 2017)
-
[3]
mitre-attack S0189Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.