When something works, stick with it, and the Poison Ivy remote access Trojan (RAT) is living up to that old adage as it is not losing favor with nation states that continue to make it the center piece of targeted attacks.
Three groups of hackers, all with ties to China, are currently managing campaigns using the RAT to steal data from organizations and monitor individuals’ activities, said researchers at FireEye.
The three campaigns target different industries yet share some of the same builder tools, employ passwords written in the same semantic pattern, and use phishing emails in their campaigns written in English using a Chinese language keyboard, the FireEye researchers said.
“There is a noticeable infrastructure built around using this tool; it’s clear they’ve trained a number of people to use and operate it,” said Darien Kindlund, manager of threat intelligence at FireEye. “It’s effective and there’s no need to change their tactics, which is why they’re still using it.”
Enterprise security managers and operations teams can become complacent when it comes to Poison Ivy, dismissing it as a crimeware tool and missing its potential to still infect machines as it moves laterally looking for more vulnerable machines or data it targets, Kindlund said.
Another reason Poison Ivy still finds favor with attackers is it remains a problem to detect when Poison Ivy communicates with its command and control infrastructure in order to receive more instructions.
The three attacks currently are fundamentally familiar. The first, which they named admin@338 for the password used by the attacker, targets international financial firms that specialize in the analysis of global or country-specific economic policies. It uses malicious email attachments to infect endpoints with Poison Ivy, which then downloads additional malware to steal intelligence in order to monetize insider information to make a market play or for geo-political reasons, Kindlund said.
The second attack, named th3bug for its password, spiked last year, FireEye said. It focuses on higher education and international health care and high tech firms in order to steal intellectual property or new research that has no yet publicly available by a university team. Most of these are watering hole attacks where a regional website frequented by the targets ends up compromised and exploit code injects onto the victim’s machine that redirects them to Poison Ivy.
The third attack, called menuPass, has been the most active of the three and dates back to 2009, spiking last year. It targets the defense industry and international government agencies trying to steal military intelligence. Spear phishing campaigns include attachments infected with Poison Ivy meant to look like a purchase order or price quote that would be fairly specific to the victim, Kindlund said.