Poison Ivy: Assessing Damage and Extracting Intelligence
Today, our research team is publishing a report on the Poison Ivy family of remote access tools (RATs) along with a package of tools created to work as a balm of sorts — naturally, we’re calling the package “Calamine.”
In an era of sophisticated cyber attacks, you might wonder why we’re even bothering with this well-known, downright ancient pest. As we explain in the paper, dismissing Poison Ivy could be a costly mistake.
RATs may well be the hacker’s equivalent of training wheels, as they are often regarded in IT security circles. But despite their reputation as a software toy for novice “script kiddies,” RATs remain a linchpin of many sophisticated cyber attacks and are used by numerous threat actors.
Requiring little technical savvy, RATs offer unfettered access to compromised machines. They are deceptively simple — attackers can point and click their way through the target’s network to steal data and intellectual property. But they are often delivered as a key component of coordinated attacks that use previously unknown (zero-day) software flaws and clever social engineering.
Even as security professionals shrug off the threat, the presence of a RAT may in itself indicate a targeted attack known as an advanced persistent threat (APT). Unlike malware focused on opportunistic cybercrime (typically conducted by botnets of compromised machines), RATs require a live person on the other side of the attack.
Poison Ivy has been used in several high-profile malware campaigns, most infamously, the 2011 compromise of RSA SecurID data. The same year, Poison Ivy powered a coordinated attack dubbed “Nitro” against chemical makers, government offices, defense firms, and human-rights groups.
We have discovered several nation-state threat actors actively using Poison Ivy, including the following:
- admin@338 — Active since 2008, this actor mostly targets the financial services industry, though we have also seen activity in the telecom, government, and defense sectors.
- th3bug — First detected in 2009, this actor targets a number of industries, primarily higher education and healthcare.
- menuPass — Also first detected in 2009, this actor targets U.S. and overseas defense contractors.
Understanding why Poison Ivy remains one of the most widely used RATs is easy. Controlled through a familiar Windows interface, it offers a bevy of handy features: key logging, screen capture, video capturing, file transfers, password theft, system administration, traffic relaying, and more.
Here is how a typical Poison Ivy attack works:
- The attacker sets up a custom PIVY server, tailoring details such as how Poison Ivy will install itself on the target computer, what features are enabled, the encryption password, and so on.
- The attacker sends the PIVY server installation file to the targeted computer. Typically, the attacker takes advantage of a zero-day flaw. The target executes the file by opening an infected email attachment, for example, or visiting a compromised website.
- The server installation file begins executing on the target machine. To avoid detection by anti-virus software, it downloads additional code as needed through an encrypted communication channel.
- Once the PIVY server is up and running on the target machine, the attacker uses a Windows GUI client to control the target computer.
Poison Ivy is so widely used that security professionals have a harder time tracing attacks that use the RAT to any particular attacker.
We hope to eliminate some of that anonymity with the Calamine package. The package, which enables organizations to easily monitor Poison Ivy’s behavior and communications, includes these components:
- PIVY callback-decoding tool (ChopShop module, available here: https://github.com/fireeye/chopshop)
- PIVY memory-decoding tool (PIVY PyCommand script, available here: https://github.com/fireeye/pycommands)
ChopShop is a new framework developed by the MITRE Corporation for network-based protocol decoders that enable security professionals to understand actual commands issued by human operators controlling endpoints. The FireEye PIVY module for ChopShop decrypts Poison Ivy network traffic.
PyCommands, meanwhile, are Python scripts that automate tasks for Immunity Debugger, a popular tool for reverse-engineering malware binaries. The FireEye PyCommand script dumps configuration information from a running PIVY process on an infected endpoint, which can provide additional telemetry about the threat actor behind the attack.
FireEye is sharing the Calamine tools with the security community at large under the BSD 2-Clause license for both commercial and non-commercial use worldwide.
By tracking the PIVY server activity, security professionals can find these telltale indicators:
- The domains and IPs used for CnC
- The attacker’s PIVY process mutex
- The attacker’s PIVY password
- The launcher code used in the malware droppers
- A timeline of malware activity
The FireEye report explains how Calamine can connect these and other facets of the attack. This evidence is especially useful when it is correlated with multiple attacks that display the same identifying features. Combining these nitty-gritty details with big-picture intelligence can help profile threat attackers and enhance IT defenses.
Calamine may not stop determined APT actors from using Poison Ivy. But it can complicate their ability to hide behind this commodity RAT.
Full details are available, here:
- White Paper
- Appendix - Includes full technical indicators of compromise (IOCs)
- Calamine Package - For analyzing PIVY process and network artifacts. The tools leverage Immunity Debugger and MITRE's ChopShop.
 ChopShop is available for download at https://github.com/MITRECND/chopshop.
 Immunity Debugger is available at http://debugger.immunityinc.com/.