Poison Ivy discovered in on-going espionage efforts

Share this article:

The years-old Poison Ivy, best known for attacking security firm RSA, remote access Trojan (RAT) is alive and well, according to new research.

In a new report (PDF), security firm FireEye highlighted the activities of three advanced persistent threat (APT) groups who, since 2012, have used the malware in more than 70 attacks against organisations around the globe.

Darien Kindlund, manager of threat intelligence at FireEye, blogged about the on-going espionage campaigns making use of Poison Ivy in a follow-up interview with SCMagazine.com on Thursday, he explained why the freely available tool continues to serve its purpose in a sophisticated malware marketplace.

Poison Ivy was released in 2005, and was notably used in the 'Nitro' attacks in 2011 to steal intellectual property from numerous chemical companies in the United States and other countries. The malware was also used by hackers to breach security firm RSA that same year, stealing information related to its SecurID product line.

According to Kindlund, Poison Ivy – which has keylogging, screen- and video-capturing, and file-transferring capabilities – is an ordinary piece of malware, but one with significant benefits.

“It's more difficult to know who is attacking [organisations] when they are using a garden-variety remote access tool,” Kindlund told SCMagazine.com.  

It is difficult to determine when RATs are used in APT scenarios due to their wide use, and FireEye released a package of free tools, called Calamine, to help organisations detect when Poison Ivy attacks are potentially a part of a larger espionage campaign.  

After collecting 194 malware samples of Poison Ivy used in targeted attacks between 2008 and 2013, FireEye linked infections with activities to three groups: Admin@338, Th3bug and MenuPass. They are named after the passwords they use to access Poison Ivy once it's installed on victim machines.

FireEye learned that hackers involved in the Admin@338 group leveraged Poison Ivy for APT attacks since January 2008, and used spear phishing emails to target organisations in finance, economic and trade policy sectors.

The Th3bug group primarily targeted higher education and health care sectors dating back to October 2009 by infecting websites victims frequently visited.  

MenuPass also used spear phishing – where weaponised emails crafted for specific staff at organisations are sent to lure targets into clicking malicious links or files – during 2012 and this year. Several exploits have been used in all of the on-going campaigns – for instance, those in Microsoft Word, Java and Internet Explorer – allowing saboteurs to booby-trap vulnerable files or web pages that victims opened or visited.

Kindlund said that that command-and-control server communications, and the fact that weaponised emails contained messages using Chinese character sets, led FireEye researchers to conclude that the groups likely had regional ties to China.

The firm was also able to link attacks with certain groups due to additional evidence, such as passwords the hackers used to access infected machines and decrypt control hub communications.

The Calamine package, meant to thwart long-lived espionage campaigns, consists of tools that decrypt the RAT's network traffic communications so organisations can “understand commands issued by human operators controlling [infected] endpoints”, and receive other insight that could help them profile their attackers, such as information on configuration files used in the attack, the FireEye blog post said.

Kindlund told SCMagazine.com that the human element of the attack is what will provide the most help to organisations tasked with separating sporadic infections from those that are signs of a persistent campaign to steal their company's data.

“With most threat actors, it's all human-driven activities – and humans don't like to change their tactics if what they are doing is working very well,” Kindlund said. “This helps predict what their next attack will look like.”

Share this article: