Threat Intelligence, Incident Response, Malware, TDR

Poison Ivy discovered in ongoing espionage efforts

The years-old Poison Ivy remote access trojan (RAT), well known for attacking security firm RSA, is alive and well, according to new research.

In a new report (PDF), security firm FireEye highlighted the activities of three advanced persistent threat (APT) groups who, since 2012, have used the malware in more than 70 attacks against organizations around the globe.

Darien Kindlund, manager of threat intelligence at FireEye, blogged about the ongoing espionage campaigns making use of Poison Ivy. In a Thursday follow-up interview with SCMagazine.com, he explained why the freely available tool continues to serve its purpose in a sophisticated malware marketplace.

Poison Ivy was released in 2005, and was notably used in the "Nitro" attacks in 2011 to steal intellectual property from numerous chemical companies in the United States and other countries. The malware was also used by hackers to breach security firm RSA that same year, stealing information related to its SecurID product line.

According to Kindlund, Poison Ivy – which has keylogging, screen- and video-capturing, and file-transferring capabilities – is an ordinary piece of malware, but one with significant benefits.

“It's more difficult to know who is attacking [organizations] when they are using a garden-variety remote access tool,” Kindlund told SCMagazine.com.  

Because it is difficult to peg when RATs are used in APT scenarios due to their wide use, FireEye released a package of free tools, called Calamine, to help organizations detect when Poison Ivy attacks are potentially a part of a larger espionage campaign.  

After collecting 194 malware samples of Poison Ivy used in targeted attacks between 2008 and 2013, FireEye linked infections with activities to three groups: Admin@338, Th3bug and MenuPass. They are named after the passwords they use to access Poison Ivy once it's installed on victim machines.

FireEye learned that hackers involved in the Admin@338 group leveraged Poison Ivy for APT attacks since January 2008, and used spear phishing emails to target organizations in finance, economic and trade policy sectors.

The Th3bug group primarily targeted higher education and health care sectors dating back to October 2009 by infecting websites victims frequently visited.  

MenuPass also used spear phishing – where weaponized emails crafted for specific staff at organizations are sent to lure targets into clicking malicious links or files – during 2012 and this year. Several exploits have been used in all of the ongoing campaigns – for instance, those in Microsoft Word, Java, and Internet Explorer – allowing saboteurs to booby-trap vulnerable files or web pages that victims opened or visited.

Kindlund said that that command-and-control server communications, and the fact that weaponized emails contained messages using Chinese character sets, led FireEye researchers to conclude that the groups likely had regional ties to China.

The firm was also able to link attacks with certain groups due to additional evidence, like passwords the hackers used to access infected machines and decrypt control hub communications.

The Calamine package, meant to thwart long-lived espionage campaigns, consists of tools that decrypt the RAT's network traffic communications so organizations can “understand commands issued by human operators controlling [infected] endpoints,” and receive other insight that could help them profile their attackers, such as information on configuration files used in the attack, the FireEye blog post said.

Kindlund told SCMagazine.com that the human element of the attack is what will provide the most help to organizations tasked with separating sporadic infections from those that are signs of a persistent campaign to steal their company's data.

“With most threat actors, it's all human-driven activities – and humans don't like to change their tactics if what they are doing is working very well,” Kindlund said. “This helps predict what their next attack will look like.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.