Poison Ivy RAT gnawing on systems again

Poison Ivy, a Remote Access Trojan (RAT) circulating on the Internet for almost a decade, is experiencing a resurgence among hackers, says a report released on Wednesday by the network security company FireEye.

The RAT has been used in several high profile attacks in the past -- notably the breach of RSA that compromised its SecurID authentication token system and the "Nitro" forays against chemical makers, government offices, defense firms, and human rights groups. FireEye said it is also currently being used in hundreds of intrusions on prominent enterprises.

Ordinarily, age isn't kind to products in the technology world, but that's not the case with Poison Ivy. "Many in the security community have dismissed Poison Ivy because it's so old," FireEye's Manager of Threat Intelligence, Darien Kindlund, explained in an interview. "That's why it's now being used as a legitimate tool by nation state threat actors to compromise victims."

In a 38-page report, FireEye researchers James T. Bennett, Ned Moran and Nart Villeneuve say three "nations state actors" using Poison Ivy were identified:

  • "admin@338", which mostly targets the financial services industry, as well as the telecom, government, and defense sectors;
  • "th3bug", which primarily targets higher education and healthcare; and
  • "menuPass", which targets U.S. and overseas defense contractors.

What sets RATs apart from typical crimeware is the amount of human intervention needed to run them. "[They] require live, direct, real-time human interaction by the [Advanced Persistent Threat] attacker," the FireEye report explained.

"This is distinctly different from crimeware, where the criminal can issue commands to their entire botnet of compromised endpoints whenever they please and then let them go to work on a common goal," the report said.

"In contrast," it said, "RATs are much more personal and may indicate that you are dealing with a dedicated threat actor that is specifically interested in your organization."

Despite being long in the tooth -- Poison Ivy first appeared in 2005 -- the RAT has managed to sustain its broad appeal. Part of that has to do with its ease of use. "RATing started out as something that took a lot of technological skill, but it has become increasingly weaponized to the point that it can hardly be called hacking anymore," Aaron Titus, chief privacy officer for Identity Finder, said in an interview.

Mikko Hypponen, chief research officer at F-Secure, said Poison Ivy, in particular, has become popular with a whole range of attackers. "Poison Ivy is a general purpose backdoor that we're seeing teenagers use and criminal gangs use to steal credit card numbers and, quite surprisingly, for years we've seen it used in these APT attacks as well," he told CSOonline.

[Also see: Lesson from SecureID breach: 'Don't trust your security vendor']

"Many people automatically assume that attacks coming from a nation-state or an intelligence organization or a military organization would automatically use cutting edge technology and zero-day exploits and tailor-made backdoors," he added. "But that's not what we're seeing."

Joe Stewart, director of malware research at the Dell SecureWorks Counter Threat Unit, said that using a popular RAT may be a form of camouflage for some nation-state attackers. "It gives them some plausible denialability," he said.

"If someone discovers it on the network, it's just a common tool used by a lot of different hackers so it's hard to attribute it to a particular region," Stewart said.

What's more, a common RAT isn't as likely to create the kind of panic caused by something like a Stuxnet, Hypponen said. "If you get caught, if your target realizes they have an in-house infection, they wouldn't be as worried about finding a Poison Ivy infection as they would be if they found a completely tailor-made, Zero Day RAT attack," he said.

For some attackers, using an off-the-shelf RAT is a matter of balancing risk with the cost of developing software. "They're really not taking a lot of risk themselves in leaving a copy of Poison Ivy running on someone's computer," said Tom Cross, a security research director at Lancope. "If it gets compromised, it's just another copy of Poison Ivy. It doesn't reveal anything about the attacker's intent or their capabilities or what they intended to do."

Along with its report on Poison Ivy, FireEye released a set of free tools that can be used to detect Poison Ivy infections. The Calamine suite can reveal the RAT's process mutex and password, decoded command and control traffic to identify exfiltration/lateral movement and a timeline of its malware activity.

Tools may be useful, but the only way to really protect a network is to prevent the RAT from insinuating itself into a system in the first place, said Anup Ghosh, CEO of Invincea. "This is a band-aid approach to the problem," Ghosh said in an interview. "Are we going to put out band-aids for every RAT that's out there?"

"It's not solving the problem," he said "It's sticking a finger in the dam as leaks develop left and right."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Tags cybercrimelegalsoftwareapplicationsFireEyeData Protection | MalwarePoison Ivyratremote access Trojan

Show Comments