Poison Ivy

The Poison Ivy trojan is a remote access trojan (RAT) that was first identified in 2005 and has continued to make headlines throughout the years. In 2011, it was used in the "Nitro" campaign that targeted government organizations, chemical manufacturers, human rights groups, and defense contractors. In 2012, attackers exploited a Java zero-day vulnerability to spread the malware and, in 2013, Poison Ivy was used to infect visitors of a US government website by exploiting an Internet Explorer zero-day vulnerability. This RAT has been used by a large variety of hacking groups and in various operations, including at least three separate advanced persistent threat (APT) campaigns. Poison Ivy is designed with spying capabilities as it can monitor victims remotely and steal user credentials and files. It is often spread through malicious Word or PDF attachments in spearphishing emails. In 2013, FIreEye disseminated a detailed report on Poison Ivy and provided its typical attack sequence:

  1. The attacker sets up a custom Poison Ivy (PIVY) server, incorporating details on how the RAT will install itself on the target computer, enabled features, and the encryption password, among others.
  2. The attacker sends the PIVY server installation file to the target's computer. The target opens the infected email and executes the file, or visits a compromised website.
  3. The server installation file executes on the target computer and downloads additional code through an encrypted communication channel to avoid antivirus detection. 
  4. Once the PIVY server is running on the target machine, the attacker uses a Windows GUI client to control the target computer. 

Reporting

  • November 2011: Hackers used "Poison Ivy" malware to steal chemical, defense secrets. (Techworld)
  • September 2012: New IE zero-day exploit circulating, used to install Poison Ivy. (Naked Security)
  • August 2013: Poison Ivy discovered in ongoing espionage efforts. (SC Magazine)
  • April 2016: Poison Ivy RAT receives update just in time to spy on Hong Kong. (Softpedia)
  • August 2017: A new variant of this trojan is being spread through a compromised PowerPoint (ppsx) file. (Fortinet)

Technical Details

  • FireEye provides technical analysis on the Poison Ivy RAT, available here.  
Trojan VariantsNJCCICPoison Ivy