Poison Ivy RAT Gnawing on Systems Again
The old remote access trojan is experiencing a new resurgence among hackers.
Thu, August 22, 2013
CSO — Poison Ivy, a Remote Access Trojan (RAT) circulating on the Internet for almost a decade, is experiencing a resurgence among hackers, says a report released on Wednesday by the network security company FireEye.
The RAT has been used in several high profile attacks in the past -- notably the breach of RSA that compromised its SecurID authentication token system and the "Nitro" forays against chemical makers, government offices, defense firms, and human rights groups. FireEye said it is also currently being used in hundreds of intrusions on prominent enterprises.
Ordinarily, age isn't kind to products in the technology world, but that's not the case with Poison Ivy. "Many in the security community have dismissed Poison Ivy because it's so old," FireEye's Manager of Threat Intelligence, Darien Kindlund, explained in an interview. "That's why it's now being used as a legitimate tool by nation state threat actors to compromise victims."
In a 38-page report, FireEye researchers James T. Bennett, Ned Moran and Nart Villeneuve say three "nations state actors" using Poison Ivy were identified:
- "admin@338", which mostly targets the financial services industry, as well as the telecom, government, and defense sectors;
- "th3bug", which primarily targets higher education and healthcare; and
- "menuPass", which targets U.S. and overseas defense contractors.
What sets RATs apart from typical crimeware is the amount of human intervention needed to run them. "[They] require live, direct, real-time human interaction by the [Advanced Persistent Threat] attacker," the FireEye report explained.
"This is distinctly different from crimeware, where the criminal can issue commands to their entire botnet of compromised endpoints whenever they please and then let them go to work on a common goal," the report said.
"In contrast," it said, "RATs are much more personal and may indicate that you are dealing with a dedicated threat actor that is specifically interested in your organization."
Despite being long in the tooth -- Poison Ivy first appeared in 2005 -- the RAT has managed to sustain its broad appeal. Part of that has to do with its ease of use. "RATing started out as something that took a lot of technological skill, but it has become increasingly weaponized to the point that it can hardly be called hacking anymore," Aaron Titus, chief privacy officer for Identity Finder, said in an interview.
Mikko Hypponen, chief research officer at F-Secure, said Poison Ivy, in particular, has become popular with a whole range of attackers. "Poison Ivy is a general purpose backdoor that we're seeing teenagers use and criminal gangs use to steal credit card numbers and, quite surprisingly, for years we've seen it used in these APT attacks as well," he told CSOonline.