Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

FireEye Unveils New Research, Analysis Tools for Poison Ivy RAT

New research from security firm FireEye is turning attention to Poison Ivy – a remote access tool (RAT) that may not make users itch, but is troublesome nonetheless.

New research from security firm FireEye is turning attention to Poison Ivy – a remote access tool (RAT) that may not make users itch, but is troublesome nonetheless.

A full eight years after it was first released, Poison Ivy remains an active threat that requires little tech-savvy to use. According to FireEye, despite its simplicity, RATs like Poison Ivy are often components of coordinated, targeted attacks.

During the past few years, Poison Ivy has been used in a number of high-profile attacks, including the notorious compromise of RSA a few years ago and a coordinated attack known as ‘Nitro’ that targeted chemical companies and others. Currently, there are a number of ongoing attack campaigns using the tool as well, including ‘admin@338‘, which has been active since 2008 and mostly targets the financial industry, and ‘th3bug‘, which was first detected in 2009 and primarily targets the healthcare industry and higher education institutions.

Another example of a campaign using Poison Ivy is the ‘menupass‘ campaign, which also was launched in 2009 and is focused on defense contractors. It appears to be emanating from China, according to FireEye.

“Poison Ivy RAT has persisted this long, because its interface is exceptionally easy to use,” said Darien Kindlund, manager of threat intelligence at FireEye. “Therefore nation state groups can literally outsource their operations to less qualified subcontractors, because the PIVY interface to build malicious documents and control infected victims is trivial.”

A typical Poison Ivy attacks begins with an attacker setting up a custom Poison Ivy server and sending the server installation file to the targeted computer, FireEye explained. The server installation file begins executing on the target machine, avoiding detection by downloading additional code as needed through an encrypted communications channel. Once the server is running on the target machine, the attacker uses a Windows GUI client to control the machine.

“In general, an important factor to recognize about RATs is that they require live, direct, realtime human interaction by the APT attacker,” according to the paper. “This is distinctly different from crimeware (malware focused on cybercrime), where the criminal can issue commands to their entire botnet of compromised endpoints (or portions of it) whenever they please and then let them go to work on a common goal (e.g., SPAM relay). In contrast, RATs are much more personal and may indicate that you are dealing with a dedicated threat actor that is specifically interested in your organization.”

FireEye has released a free set of tools the company has dubbed ‘Calamine’ to help organizations detect Poison Ivy infections on their systems and monitor its behavior and communications.

Advertisement. Scroll to continue reading.

The package includes:

– PIVY callback-decoding tool (ChopShop module, available here)

– PIVY memory-decoding tool (PIVY PyCommand script, available here)

The ChopShop framework was developed by the MITRE Corporation for network-based protocol decoders that help security professionals understand commands issued by human operators controlling endpoints, FireEye said. FireEye’s PIVY module for ChopShop decrypts Poison Ivy network traffic.

Evidence gathered by Calamine can be useful when correlated with multiple attacks that display the same identifying features, FireEye said, but reminded that Calamine won’t always stop determined attackers from using Poison Ivy, though it can complicate their ability to hide behind the commodity RAT. 

“RATs may well be the hacker’s equivalent of training wheels, as they are often regarded in IT security circles,” Kindlund noted in a blog post. “But despite their reputation as a software toy for novice ‘script kiddies,’ RATs remain a linchpin of many sophisticated cyber attacks and are used by numerous threat actors.”

The paper from FireEye can be found here in PDF format.

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.