Poison Ivy RAT gnawing on systems again

Poison Ivy, a Remote Access Trojan (RAT) circulating on the Internet for almost a decade, is experiencing a resurgence among hackers, says a report released on Wednesday by the network security company FireEye.

The RAT has been used in several high profile attacks in the past -- notably the breach of RSA that compromised its SecurID authentication token system and the "Nitro" forays against chemical makers, government offices, defense firms, and human rights groups. FireEye said it is also currently being used in hundreds of intrusions on prominent enterprises.

Ordinarily, age isn't kind to products in the technology world, but that's not the case with Poison Ivy. "Many in the security community have dismissed Poison Ivy because it's so old," FireEye's Manager of Threat Intelligence, Darien Kindlund, explained in an interview. "That's why it's now being used as a legitimate tool by nation state threat actors to compromise victims."

In a 38-page report, FireEye researchers James T. Bennett, Ned Moran and Nart Villeneuve say three "nations state actors" using Poison Ivy were identified:

  • "admin@338", which mostly targets the financial services industry, as well as the telecom, government, and defense sectors;
  • "th3bug", which primarily targets higher education and healthcare; and
  • "menuPass", which targets U.S. and overseas defense contractors.

What sets RATs apart from typical crimeware is the amount of human intervention needed to run them. "[They] require live, direct, real-time human interaction by the [Advanced Persistent Threat] attacker," the FireEye report explained.

"This is distinctly different from crimeware, where the criminal can issue commands to their entire botnet of compromised endpoints whenever they please and then let them go to work on a common goal," the report said.

"In contrast," it said, "RATs are much more personal and may indicate that you are dealing with a dedicated threat actor that is specifically interested in your organization."

Despite being long in the tooth -- Poison Ivy first appeared in 2005 -- the RAT has managed to sustain its broad appeal. Part of that has to do with its ease of use. "RATing started out as something that took a lot of technological skill, but it has become increasingly weaponized to the point that it can hardly be called hacking anymore," Aaron Titus, chief privacy officer for Identity Finder, said in an interview.

Mikko Hypponen, chief research officer at F-Secure, said Poison Ivy, in particular, has become popular with a whole range of attackers. "Poison Ivy is a general purpose backdoor that we're seeing teenagers use and criminal gangs use to steal credit card numbers and, quite surprisingly, for years we've seen it used in these APT attacks as well," he told CSOonline.

[Also see: Lesson from SecureID breach: 'Don't trust your security vendor']

"Many people automatically assume that attacks coming from a nation-state or an intelligence organization or a military organization would automatically use cutting edge technology and zero-day exploits and tailor-made backdoors," he added. "But that's not what we're seeing."

Joe Stewart, director of malware research at the Dell SecureWorks Counter Threat Unit, said that using a popular RAT may be a form of camouflage for some nation-state attackers. "It gives them some plausible denialability," he said.

"If someone discovers it on the network, it's just a common tool used by a lot of different hackers so it's hard to attribute it to a particular region," Stewart said.

What's more, a common RAT isn't as likely to create the kind of panic caused by something like a Stuxnet, Hypponen said. "If you get caught, if your target realizes they have an in-house infection, they wouldn't be as worried about finding a Poison Ivy infection as they would be if they found a completely tailor-made, Zero Day RAT attack," he said.

For some attackers, using an off-the-shelf RAT is a matter of balancing risk with the cost of developing software. "They're really not taking a lot of risk themselves in leaving a copy of Poison Ivy running on someone's computer," said Tom Cross, a security research director at Lancope. "If it gets compromised, it's just another copy of Poison Ivy. It doesn't reveal anything about the attacker's intent or their capabilities or what they intended to do."

Along with its report on Poison Ivy, FireEye released a set of free tools that can be used to detect Poison Ivy infections. The Calamine suite can reveal the RAT's process mutex and password, decoded command and control traffic to identify exfiltration/lateral movement and a timeline of its malware activity.

Tools may be useful, but the only way to really protect a network is to prevent the RAT from insinuating itself into a system in the first place, said Anup Ghosh, CEO of Invincea. "This is a band-aid approach to the problem," Ghosh said in an interview. "Are we going to put out band-aids for every RAT that's out there?"

"It's not solving the problem," he said "It's sticking a finger in the dam as leaks develop left and right."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

Tags Poison IvyapplicationsData Protection | MalwareratlegalFireEyeremote access Trojansoftwaredata protectioncybercrime

More about APTDellFireEyeF-SecureLancopeRSASecureWorksThreat IntelligenceTitus

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts