In an era of sophisticated cyber attacks, you might wonder why we’re even bothering with this well-known, downright ancient pest. As we explain in the paper, dismissing Poison Ivy could be a costly mistake.
RATs may well be the hacker’s equivalent of training wheels, as they are often regarded in IT security circles. But despite their reputation as a software toy for novice “script kiddies,” RATs remain a linchpin of many sophisticated cyber attacks and are used by numerous threat actors.
Requiring little technical savvy, RATs offer unfettered access to compromised machines. They are deceptively simple — attackers can point and click their way through the target’s network to steal data and intellectual property. But they are often delivered as a key component of coordinated attacks that use previously unknown (zero-day) software flaws and clever social engineering.
Even as security professionals shrug off the threat, the presence of a RAT may in itself indicate a targeted attack known as an advanced persistent threat (APT). Unlike malware focused on opportunistic cybercrime (typically conducted by botnets of compromised machines), RATs require a live person on the other side of the attack.
Poison Ivy has been used in several high-profile malware campaigns, most infamously, the 2011 compromise of RSA SecurID data. The same year, Poison Ivy powered a coordinated attack dubbed “Nitro” against chemical makers, government offices, defense firms, and human-rights groups.
We have discovered several nation-state threat actors actively using Poison Ivy, including the following:
- admin@338 — Active since 2008, this actor mostly targets the financial services industry, though we have also seen activity in the telecom, government, and defense sectors.
- th3bug — First detected in 2009, this actor targets a number of industries, primarily higher education and healthcare.
- menuPass — Also first detected in 2009, this actor targets U.S. and overseas defense contractors.
Here is how a typical Poison Ivy attack works:
- The attacker sets up a custom PIVY server, tailoring details such as how Poison Ivy will install itself on the target computer, what features are enabled, the encryption password, and so on.
- The attacker sends the PIVY server installation file to the targeted computer. Typically, the attacker takes advantage of a zero-day flaw. The target executes the file by opening an infected email attachment, for example, or visiting a compromised website.
- The server installation file begins executing on the target machine. To avoid detection by anti-virus software, it downloads additional code as needed through an encrypted communication channel.
- Once the PIVY server is up and running on the target machine, the attacker uses a Windows GUI client to control the target computer.
We hope to eliminate some of that anonymity with the Calamine
package. The package, which enables organizations to easily monitor
Poison Ivy’s behavior and communications, includes these components:
PyCommands, meanwhile, are Python scripts that automate tasks for Immunity Debugger, a popular tool for reverse-engineering malware binaries.[2] The FireEye PyCommand script dumps configuration information from a running PIVY process on an infected endpoint, which can provide additional telemetry about the threat actor behind the attack.
FireEye is sharing the Calamine tools with the security community at large under the BSD 2-Clause license[3] for both commercial and non-commercial use worldwide.
By tracking the PIVY server activity, security professionals can find these telltale indicators:
- PIVY callback-decoding tool (ChopShop module, available here: https://github.com/fireeye/chopshop)
- PIVY memory-decoding tool (PIVY PyCommand script, available here: https://github.com/fireeye/pycommands)
PyCommands, meanwhile, are Python scripts that automate tasks for Immunity Debugger, a popular tool for reverse-engineering malware binaries.[2] The FireEye PyCommand script dumps configuration information from a running PIVY process on an infected endpoint, which can provide additional telemetry about the threat actor behind the attack.
FireEye is sharing the Calamine tools with the security community at large under the BSD 2-Clause license[3] for both commercial and non-commercial use worldwide.
By tracking the PIVY server activity, security professionals can find these telltale indicators:
- The domains and IPs used for CnC
- The attacker’s PIVY process mutex
- The attacker’s PIVY password
- The launcher code used in the malware droppers
- A timeline of malware activity
Calamine may not stop determined APT actors from using Poison Ivy. But it can complicate their ability to hide behind this commodity RAT.
Full details are available, here:
- White Paper
- Appendix – Includes full technical indicators of compromise (IOCs)
- Calamine Package – For analyzing PIVY process and network artifacts. The tools leverage Immunity Debugger and MITRE’s ChopShop.
[1] ChopShop is available for download at https://github.com/MITRECND/chopshop.
[2] Immunity Debugger is available at http://debugger.immunityinc.com/.
[3] For more information about the BSD 2-Clause License, see the Open Source Initiative’s template at http://opensource.org/licenses/BSD-2-Clause.
No comments:
Post a Comment