Poison Ivy: Assessing Damage and Extracting Intelligence

Today, our research team is publishing a report
on the Poison Ivy family of remote access tools (RATs) along with a
package of tools created to work as a balm of sorts — naturally, we’re
calling the package “Calamine.”

In an era of sophisticated cyber attacks, you might wonder why we’re
even bothering with this well-known, downright ancient pest. As we
explain in the paper, dismissing Poison Ivy could be a costly mistake.

RATs may well be the hacker’s equivalent of training wheels, as they
are often regarded in IT security circles. But despite their
reputation as a software toy for novice “script kiddies,” RATs remain
a linchpin of many sophisticated cyber attacks and are used by
numerous threat actors.

Requiring little technical savvy, RATs offer unfettered access to
compromised machines. They are deceptively simple — attackers can
point and click their way through the target’s network to steal data
and intellectual property. But they are often delivered as a key
component of coordinated attacks that use previously unknown
(zero-day) software flaws and clever social engineering.

Even as security professionals shrug off the threat, the presence of
a RAT may in itself indicate a targeted attack known as an advanced
persistent threat (APT). Unlike malware focused on opportunistic
cybercrime (typically conducted by botnets of compromised machines),
RATs require a live person on the other side of the attack.

Poison Ivy has been used in several high-profile malware campaigns,
most infamously, the 2011 compromise of RSA SecurID data. The same
year, Poison Ivy powered a coordinated attack dubbed “Nitro” against
chemical makers, government offices, defense firms, and human-rights groups.

We have discovered several nation-state threat actors actively
using Poison Ivy, including the following:

  • admin@338 — Active since 2008, this actor mostly targets the
    financial services industry, though we have also seen activity in
    the telecom, government, and defense sectors.
  • th3bug —
    First detected in 2009, this actor targets a number of industries,
    primarily higher education and healthcare.
  • menuPass — Also
    first detected in 2009, this actor targets U.S. and overseas defense

Understanding why Poison Ivy remains one of the most widely used
RATs is easy. Controlled through a familiar Windows interface, it
offers a bevy of handy features: key logging, screen capture, video
capturing, file transfers, password theft, system administration,
traffic relaying, and more.

Here is how a typical Poison Ivy attack works:

  1. The attacker sets up a custom PIVY server, tailoring details
    such as how Poison Ivy will install itself on the target computer,
    what features are enabled, the encryption password, and so on.
  2. The attacker sends the PIVY server installation file to the
    targeted computer. Typically, the attacker takes advantage of a
    zero-day flaw. The target executes the file by opening an infected
    email attachment, for example, or visiting a compromised
  3. The server installation file begins executing on the
    target machine. To avoid detection by anti-virus software, it
    downloads additional code as needed through an encrypted
    communication channel.
  4. Once the PIVY server is up and
    running on the target machine, the attacker uses a Windows GUI
    client to control the target computer.

Poison Ivy is so widely used that security professionals have a
harder time tracing attacks that use the RAT to any particular attacker.

We hope to eliminate some of that anonymity with the Calamine
package. The package, which enables organizations to easily monitor
Poison Ivy’s behavior and communications, includes these

ChopShop[1] is a new framework developed by the MITRE
Corporation for network-based protocol decoders that enable security
professionals to understand actual commands issued by human
operators controlling endpoints. The FireEye PIVY module for
ChopShop decrypts Poison Ivy network traffic.

meanwhile, are Python scripts that automate tasks for Immunity
Debugger, a popular tool for reverse-engineering malware
binaries.[2] The FireEye PyCommand script dumps configuration
information from a running PIVY process on an infected endpoint,
which can provide additional telemetry about the threat actor behind
the attack.

FireEye is sharing the Calamine tools with the
security community at large under the BSD 2-Clause license[3] for
both commercial and non-commercial use worldwide.

By tracking
the PIVY server activity, security professionals can find these
telltale indicators:

  • The domains and IPs used for CnC
  • The attacker’s PIVY
    process mutex
  • The attacker’s PIVY password
  • The
    launcher code used in the malware droppers
  • A timeline of
    malware activity

The FireEye report explains how Calamine can connect these and other
facets of the attack. This evidence is especially useful when it is
correlated with multiple attacks that display the same identifying
features. Combining these nitty-gritty details with big-picture
intelligence can help profile threat attackers and enhance IT defenses.

Calamine may not stop determined APT actors from using Poison Ivy.
But it can complicate their ability to hide behind this commodity RAT.

Full details are available, here:

[1] ChopShop is available for download at https://github.com/MITRECND/chopshop.

[2] Immunity Debugger is available at http://debugger.immunityinc.com/.

[3] For more information about the BSD 2-Clause License, see
the Open Source Initiative’s template at http://opensource.org/licenses/BSD-2-Clause.

Share this post

Share on facebook
Share on linkedin
Share on print
Share on email

Subscribe to our Monthly Cyber Security Digest

Get monthly content to keep you up to date on the latest news and tips