Security Experts:

FireEye Unveils New Research, Analysis Tools for Poison Ivy RAT

New research from security firm FireEye is turning attention to Poison Ivy – a remote access tool (RAT) that may not make users itch, but is troublesome nonetheless.

A full eight years after it was first released, Poison Ivy remains an active threat that requires little tech-savvy to use. According to FireEye, despite its simplicity, RATs like Poison Ivy are often components of coordinated, targeted attacks.

During the past few years, Poison Ivy has been used in a number of high-profile attacks, including the notorious compromise of RSA a few years ago and a coordinated attack known as 'Nitro' that targeted chemical companies and others. Currently, there are a number of ongoing attack campaigns using the tool as well, including '[email protected]', which has been active since 2008 and mostly targets the financial industry, and 'th3bug', which was first detected in 2009 and primarily targets the healthcare industry and higher education institutions.

Another example of a campaign using Poison Ivy is the 'menupass' campaign, which also was launched in 2009 and is focused on defense contractors. It appears to be emanating from China, according to FireEye.

"Poison Ivy RAT has persisted this long, because its interface is exceptionally easy to use," said Darien Kindlund, manager of threat intelligence at FireEye. "Therefore nation state groups can literally outsource their operations to less qualified subcontractors, because the PIVY interface to build malicious documents and control infected victims is trivial."

A typical Poison Ivy attacks begins with an attacker setting up a custom Poison Ivy server and sending the server installation file to the targeted computer, FireEye explained. The server installation file begins executing on the target machine, avoiding detection by downloading additional code as needed through an encrypted communications channel. Once the server is running on the target machine, the attacker uses a Windows GUI client to control the machine.

"In general, an important factor to recognize about RATs is that they require live, direct, realtime human interaction by the APT attacker," according to the paper. "This is distinctly different from crimeware (malware focused on cybercrime), where the criminal can issue commands to their entire botnet of compromised endpoints (or portions of it) whenever they please and then let them go to work on a common goal (e.g., SPAM relay). In contrast, RATs are much more personal and may indicate that you are dealing with a dedicated threat actor that is specifically interested in your organization."

FireEye has released a free set of tools the company has dubbed 'Calamine' to help organizations detect Poison Ivy infections on their systems and monitor its behavior and communications.

The package includes:

- PIVY callback-decoding tool (ChopShop module, available here)

- PIVY memory-decoding tool (PIVY PyCommand script, available here)

The ChopShop framework was developed by the MITRE Corporation for network-based protocol decoders that help security professionals understand commands issued by human operators controlling endpoints, FireEye said. FireEye's PIVY module for ChopShop decrypts Poison Ivy network traffic.

Evidence gathered by Calamine can be useful when correlated with multiple attacks that display the same identifying features, FireEye said, but reminded that Calamine won't always stop determined attackers from using Poison Ivy, though it can complicate their ability to hide behind the commodity RAT. 

"RATs may well be the hacker’s equivalent of training wheels, as they are often regarded in IT security circles," Kindlund noted in a blog post. "But despite their reputation as a software toy for novice 'script kiddies,' RATs remain a linchpin of many sophisticated cyber attacks and are used by numerous threat actors."

The paper from FireEye can be found here in PDF format.

view counter