Poison Ivy is one of the most widely used RATs. It is so readily available and so easy to use that it is often used by script kiddies who simply want to ‘mess’ with people. Because of this, it is sometimes accepted as a ‘minor inconvenience’ by network defenders.
“But dismissing this common breed of malware could be a costly mistake, warns Darien Kindlund, manager of threat intelligence at FireEye. “Despite their reputation as a software toy for novice attackers — RATs remain a linchpin of many sophisticated cyber attacks and are used by numerous threat actors. Today, we see hundreds of attacks using Poison Ivy targeting very high profile enterprises.”
If network defenders better understand what the malware does, they can monitor their networks for clues that might indicate its presence – and more particularly, understand whether it is a script kiddie or an APT actor. FireEye has now published a major analysis of the Poison Ivy RAT to help network admins understand its processes and aid in its detection and subsequent elimination.
It has also produced a free and aptly-named Calamine tool specifically for security researchers. Calamine is not designed to eliminate Poison Ivy, but to decrypt and analyze its processes, allowing researchers to learn more about current campaigns and the threat actors behind them.
Poison Ivy has been available since at least 2005, and can be downloaded from its official website at www.poisonivy-rat.com. Its feature set is common to most other Windows-based RATs, says FireEye: “key logging, screen capturing, video capturing, file transfers, system administration, password theft, traffic relaying, and more.” But its ready availability and ease of use has made it a favorite choice. It can be customized with the Poison Ivy builder kit (PIVY), which the attacker must then install on the victim. This is usually done – to ensure success – via a zero-day exploit delivered either via malicious email attachments or through a drive-by exploit.
For its analysis, FireEye collected 193 samples of Poison Ivy that had been used between 2008 and 2013. It found relationships suggesting three separate major ‘APT’ campaigns which it calls admin@338, menuPass and th3bug. Using PE compile time from the samples together with the first time each sample was seen by VirusTotal, it worked out the likely date of usage; and found that all three campaign have been in operation since 2008, peaking in 2012.
admin@338 “tends to target the Finance sector, but we see significant activity in the ISP/Telco, Government and Defense sectors as well,” reports FireEye. This campaign usually uses spear-phishing emails with an infected attachment. The attached documents – which are weaponized legitimate documents – are relevant to both the covering email and the interests of the target. Both the email content and the decoy documents are usually in English. “However,” adds FireEye, “we have observed that although the content is in English, the character set of the email message body is actually Chinese (GB2312).”
th3bug campaign prefers to use “strategic web compromise” (water hole drive-by) as a means of infection. Since this is less targeted than email attachments, its targets are more varied. “This ongoing campaign targets a number of different industries,” says the report, “but does appear to demonstrate a preference for targets in higher education and the healthcare sector.” This campaign seems to be more stealthy and more restrained than admin@338.
menuPass, like admin@38, favors weaponized spear-phishing emails. “Based on our visibility,” says FireEye, “it appears that the menuPass threat actor prefers to target US and Foreign Defense Contractors.” The weaponized documents are again relevant to the target, and zipped. FireEye gives three examples: Strategy_Meeting, Background Consent Form, and Doha_Climate_Change_Conference-November_2012.
FireEye believes that one of the reasons for sophisticated threat actors to choose a ‘commodity’ RAT such as Poison Ivy is simply because it is so popular and used by many other hackers. “APT actors may also use commodity RATs as a means to complicate correlation of activity over time as they can hide in the sea of noise of other actors, using the same tool for different purposes.” The purpose of this study, it says, is to give network defenders the clues and tools that will help them recognize an APT campaign, and “to force the actors away from using these RATs and complicate their ability to hide behind these commodity tools.”