FireEye has unveiled a set of free tools that can analyse attacks made using the Poison Ivy remote access Trojan (RAT), an old foe, and underrated weapon used in cyber espionage attacks.
Although it has been around since 2006, Poison Ivy has remained a popular tool with attackers, in particular with nation states wishing to commit cyber espionage.
According to Threatpost, three groups of hackers have recently been found to be using RAT to steal data from companies and spy on individuals. The groups purportedly have ties to China and possibly to each other with regards to their funding and training.
The tools, dubbed "Calamine", are aimed at drawing Poison Ivy out of the shadows, by helping security professionals to identify indicators of a Poison Ivy RAT attack.
This includes the threat actor's Poison Ivy process mutex and password, decoded command and control traffic to identify exfiltration and lateral movement, and a timeline of Poison Ivy malware activity.
An old favourite
A recent FireEye report said that despite its age, Poison Ivy has remained popular with attackers, as it is easy to use, controlled through a Windows interface, and has a host of features. These include key-logging, screen capturing, video capturing, file transfers, password theft, system administration, traffic relaying, and suchlike.
In addition, because it is so widely spread, security professionals have trouble pinpointing attacks to a particular attacker.
Poison Ivy was used in a cluster of high-profile attacks in 2011, most notably in the RSA SecurID compromise and the attacks dubbed Nitro that targeted government agencies, defence companies, human-rights groups and chemical manufacturers.
In a press release, Darien Kindlund, manager of threat intelligence at FireEye, said RAT "may be the hacker's equivalent of training wheels", but noted it is a mistake to dismiss this threat.
"RATs remain a linchpin of many sophisticated cyber attacks and are used by numerous threat actors. Today, we see hundreds of attacks using Poison Ivy targeting very high profile enterprises," he added.
Share