This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Poison Ivy discovered in on-going espionage efforts

Share this article:

The years-old Poison Ivy, best known for attacking security firm RSA, remote access Trojan (RAT) is alive and well, according to new research.

In a new report (PDF), security firm FireEye highlighted the activities of three advanced persistent threat (APT) groups who, since 2012, have used the malware in more than 70 attacks against organisations around the globe.

Darien Kindlund, manager of threat intelligence at FireEye, blogged about the on-going espionage campaigns making use of Poison Ivy in a follow-up interview with SCMagazine.com on Thursday, he explained why the freely available tool continues to serve its purpose in a sophisticated malware marketplace.

Poison Ivy was released in 2005, and was notably used in the 'Nitro' attacks in 2011 to steal intellectual property from numerous chemical companies in the United States and other countries. The malware was also used by hackers to breach security firm RSA that same year, stealing information related to its SecurID product line.

According to Kindlund, Poison Ivy – which has keylogging, screen- and video-capturing, and file-transferring capabilities – is an ordinary piece of malware, but one with significant benefits.

“It's more difficult to know who is attacking [organisations] when they are using a garden-variety remote access tool,” Kindlund told SCMagazine.com.  

It is difficult to determine when RATs are used in APT scenarios due to their wide use, and FireEye released a package of free tools, called Calamine, to help organisations detect when Poison Ivy attacks are potentially a part of a larger espionage campaign.  

After collecting 194 malware samples of Poison Ivy used in targeted attacks between 2008 and 2013, FireEye linked infections with activities to three groups: Admin@338, Th3bug and MenuPass. They are named after the passwords they use to access Poison Ivy once it's installed on victim machines.

FireEye learned that hackers involved in the Admin@338 group leveraged Poison Ivy for APT attacks since January 2008, and used spear phishing emails to target organisations in finance, economic and trade policy sectors.

The Th3bug group primarily targeted higher education and health care sectors dating back to October 2009 by infecting websites victims frequently visited.  

MenuPass also used spear phishing – where weaponised emails crafted for specific staff at organisations are sent to lure targets into clicking malicious links or files – during 2012 and this year. Several exploits have been used in all of the on-going campaigns – for instance, those in Microsoft Word, Java and Internet Explorer – allowing saboteurs to booby-trap vulnerable files or web pages that victims opened or visited.

Kindlund said that that command-and-control server communications, and the fact that weaponised emails contained messages using Chinese character sets, led FireEye researchers to conclude that the groups likely had regional ties to China.

The firm was also able to link attacks with certain groups due to additional evidence, such as passwords the hackers used to access infected machines and decrypt control hub communications.

The Calamine package, meant to thwart long-lived espionage campaigns, consists of tools that decrypt the RAT's network traffic communications so organisations can “understand commands issued by human operators controlling [infected] endpoints”, and receive other insight that could help them profile their attackers, such as information on configuration files used in the attack, the FireEye blog post said.

Kindlund told SCMagazine.com that the human element of the attack is what will provide the most help to organisations tasked with separating sporadic infections from those that are signs of a persistent campaign to steal their company's data.

“With most threat actors, it's all human-driven activities – and humans don't like to change their tactics if what they are doing is working very well,” Kindlund said. “This helps predict what their next attack will look like.”

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

Most UK Companies unaware of EU Data Protection law

Most UK Companies unaware of EU Data Protection ...

The European Union's Data Protection Regulation reforms are edging ever closer to reality but, as a new study reveals, awareness among UK businesses is lower than expected.

UK banks to get independent pen-testing?

UK banks to get independent pen-testing?

The UK's Bank of England (BoE) is reportedly planning to carry out a major pen-testing exercise in the Autumn.

The cloud: rapid adoption and rising levels of attacks

The cloud: rapid adoption and rising levels of ...

Research just published claims to show that there has been a significant increase in attacks against cloud and on-premises IT systems.