Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

FireEye Unveils New Research, Analysis Tools for Poison Ivy RAT

New research from security firm FireEye is turning attention to Poison Ivy – a remote access tool (RAT) that may not make users itch, but is troublesome nonetheless.

New research from security firm FireEye is turning attention to Poison Ivy – a remote access tool (RAT) that may not make users itch, but is troublesome nonetheless.

A full eight years after it was first released, Poison Ivy remains an active threat that requires little tech-savvy to use. According to FireEye, despite its simplicity, RATs like Poison Ivy are often components of coordinated, targeted attacks.

During the past few years, Poison Ivy has been used in a number of high-profile attacks, including the notorious compromise of RSA a few years ago and a coordinated attack known as ‘Nitro’ that targeted chemical companies and others. Currently, there are a number of ongoing attack campaigns using the tool as well, including ‘[email protected]‘, which has been active since 2008 and mostly targets the financial industry, and ‘th3bug‘, which was first detected in 2009 and primarily targets the healthcare industry and higher education institutions.

Another example of a campaign using Poison Ivy is the ‘menupass‘ campaign, which also was launched in 2009 and is focused on defense contractors. It appears to be emanating from China, according to FireEye.

“Poison Ivy RAT has persisted this long, because its interface is exceptionally easy to use,” said Darien Kindlund, manager of threat intelligence at FireEye. “Therefore nation state groups can literally outsource their operations to less qualified subcontractors, because the PIVY interface to build malicious documents and control infected victims is trivial.”

A typical Poison Ivy attacks begins with an attacker setting up a custom Poison Ivy server and sending the server installation file to the targeted computer, FireEye explained. The server installation file begins executing on the target machine, avoiding detection by downloading additional code as needed through an encrypted communications channel. Once the server is running on the target machine, the attacker uses a Windows GUI client to control the machine.

“In general, an important factor to recognize about RATs is that they require live, direct, realtime human interaction by the APT attacker,” according to the paper. “This is distinctly different from crimeware (malware focused on cybercrime), where the criminal can issue commands to their entire botnet of compromised endpoints (or portions of it) whenever they please and then let them go to work on a common goal (e.g., SPAM relay). In contrast, RATs are much more personal and may indicate that you are dealing with a dedicated threat actor that is specifically interested in your organization.”

FireEye has released a free set of tools the company has dubbed ‘Calamine’ to help organizations detect Poison Ivy infections on their systems and monitor its behavior and communications.

The package includes:

– PIVY callback-decoding tool (ChopShop module, available here)

– PIVY memory-decoding tool (PIVY PyCommand script, available here)

The ChopShop framework was developed by the MITRE Corporation for network-based protocol decoders that help security professionals understand commands issued by human operators controlling endpoints, FireEye said. FireEye’s PIVY module for ChopShop decrypts Poison Ivy network traffic.

Evidence gathered by Calamine can be useful when correlated with multiple attacks that display the same identifying features, FireEye said, but reminded that Calamine won’t always stop determined attackers from using Poison Ivy, though it can complicate their ability to hide behind the commodity RAT. 

“RATs may well be the hacker’s equivalent of training wheels, as they are often regarded in IT security circles,” Kindlund noted in a blog post. “But despite their reputation as a software toy for novice ‘script kiddies,’ RATs remain a linchpin of many sophisticated cyber attacks and are used by numerous threat actors.”

The paper from FireEye can be found here in PDF format.

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.