Poison Ivy resurfaces after RSA attacks

The years-old Poison Ivy malware best known for attacking security firm RSA is alive and well, researchers say.

Credit: Brian Bolland.

The  remote access trojan (RAT) was in use by three advanced persistent threat (APT) groups who since 2012 have used the malware in more than 70 attacks against organisations around the globe.

FireEye threat intelligence manager Darien Kindlund blogged about the ongoing espionage campaigns making use of Poison Ivy.

He said the freely available tool served purpose in a sophisticated malware marketplace.

Poison Ivy was released in 2005, and was notably used in the "Nitro" attacks in 2011 to steal intellectual property from numerous chemical companies.

The malware was also used by hackers to breach security firm RSA that same year, stealing information related to its SecurID product line.

According to Kindlund, Poison Ivy – which has keylogging, screen- and video-capturing, and file-transferring capabilities – is an ordinary piece of malware, but one with significant benefits.

“It's more difficult to know who is attacking [organisations] when they are using a garden-variety remote access tool,” Kindlund said.  

FireEye released a package of free tools called Calamine to help organisations detect when Poison Ivy attacks were potentially a part of a larger espionage campaign, a feat that could be difficult to peg because of wide use of the RAT.

It linked infections with activities to three groups: Admin@338, Th3bug and MenuPass based on research into 194 Poison Ivy samples used in targeted attacks between 2008 and 2013.

The groups were named after the passwords they used to access Poison Ivy.

Crackers involved in the Admin@338 group leveraged Poison Ivy for APT attacks since January 2008, and used spear phishing emails to target organisations in finance, economic and trade policy sectors.

The Th3bug group primarily targeted higher education and health care sectors dating back to October 2009 by infecting websites victims frequently visited.  

MenuPass also used spear phishing during 2012 and this year. Several exploits were used in all of the ongoing campaigns – for instance, those in Microsoft Word, Java, and Internet Explorer – allowing saboteurs to booby-trap vulnerable files or web pages that victims opened or visited.

Researchers said the attacks had links to regional China given that that command-and-control server communications and weaponized emails contained messages using Chinese character sets.

The Calamine package, meant to thwart long-lived espionage campaigns, contained tools to decrypt the RAT's network traffic communications so organisations can “understand commands issued by human operators controlling [infected] endpoints,” and receive other insight that could help them profile their attackers, such as information on configuration files used in the attack.

Kindlund said the human element of the attack was the strongest indicator that attacks were part of a persistent campaign to steal company data.

“With most threat actors, it's all human-driven activities – and humans don't like to change their tactics if what they are doing is working very well,” Kindlund said. “This helps predict what their next attack will look like.”

This article originally appeared at scmagazineus.com