Poison Ivy RAT Campaign Leverages New Delivery Techniques

A recently observed campaign using the Poison Ivy remote access tool (RAT) against individuals within the Mongolian government uses publicly available techniques that haven’t been observed in previous campaigns, FireEye reports.

The Poison Ivy backdoor has been around for several years, targeting organizations all around the world, and was associated with a China-linked threat actor known as menuPass, Stone Panda and APT10. The malware packs capabilities such as key logging, screen and video capture, file transfers, password theft, system administration, traffic relaying, and more.

FireEye didn’t attribute the new campaign to a specific actor, and told SecurityWeek in an email that it can’t make direct connections to a particular group at this time. The security firm said it lacks visibility into what the actors did and admitted it doesn’t know if they were successful. Still, the company did say that “espionage is a reasonable assumption for their motives.”

What the newly observed campaign did show, however, was that the actor behind it is up-to-date with recent social engineering and evasion techniques and isn’t shy when it comes to using them. The attacks leveraged an AppLocker bypass that was publicly revealed last year, as well as fileless execution and persistence, and benign documents to minimize user suspicion of malicious activity.

The malware was distributed via Word documents with malicious macros, and the threat actor was using social engineering to trick users into enabling these macros. The malicious documents were delivered via email, claiming to contain instructions for logging into webmail or information regarding a state law proposal, FireEye explains.

The malicious macros in the documents were designed to invoke Regsvr32, a command-line utility designed for registering DLLs in the registry, to download a Windows Script Component file (SCT file) by passing the URL of the SCT file as an argument. This technique was demonstrated last year to effectively bypass AppLocker, the Microsoft application whitelisting solution that prevents unknown executables from running on a system.

In this campaign, the malicious SCT file was designed to invoke WScript to launch PowerShell in hidden mode with an encoded command, FireEye reports. After the PowerShell command is decoded, another layer of PowerShell instructions emerges, serving two purposes: to download a decoy document from the Internet and open it in a second winword.exe process using the Start-Process cmdlet; and to download and run another PowerShell script named f0921.ps1.

The third stage PowerShell script configures an encoded command persistently as base64 string in the HKCU: ConsoleFontSecurity registry key, along with an HKCUCurrentVersionRunSecurityUpdate value to launch the encoded PowerShell payload stored in the previously configured key. Thus, the PowerShell payload is executed every time the user logs in to the system.

A fourth stage PowerShell script in the HKCUConsoleFontSecurity registry borrows from the publicly available Inject-LocalShellCode script from PowerSploit to inject shellcode, researchers explain. The shellcode has a custom XOR-based decryption loop that uses a single byte key (0xD4), and was designed to inject the Poison Ivy backdoor into userinit.exe. The decrypted shellcode also revealed content and configuration related to Poison Ivy.

“Although Poison Ivy has been a proven threat for some time, the delivery mechanism for this backdoor uses recent publicly available techniques that differ from previously observed campaigns. Through the use of PowerShell and publicly available security control bypasses and scripts, most steps in the attack are performed exclusively in memory and leave few forensic artifacts on a compromised host,” FireEye says.

Related: August Stealer Uses PowerShell for Fileless Infection

Related: Windows AppLocker Bypassed to Execute Remote Scripts