Poison Ivy Attack Toolkit With Ties To China Linked To Other Hacking Groups


The Poison Ivy remote access toolkit, a longstanding malware package believed by many researchers to have strong ties to China, may be being used by other countries and hacking groups to target corporate executives in various industries.

Researchers at Milpitas, Calif.-based security firm FireEye said the malware is being used in a broad campaign of attacks launched from the Middle East. In new research released Friday, the firm said it detected the use of the toolkit against targets in the Middle East and the U.S. in June and July.

The targeted attacks began with a standard spearphishing email and could have ties to a group of hackers called the "Gaza Hackers Team," according to the FireEye researchers, who analyzed the latest attacks. The attackers set their sights on Israeli government targets and appear to be trying to hide behind the Chinese toolkit to throw off investigators, said the researchers, who call the campaign "Operation Molerats."

[Related: Advanced Persistent Threats: Not-So-Advanced Methods After All]

"The ongoing attacks are also heavily leveraging content in Arabic that uses conflicts in Egypt and the wider Middle East to lure targets into opening malicious files. But we have no further information about the exact targets of these Arabic lures," wrote FireEye researchers Nart Villeneuve, Ned Moran and Thoufique Haq. "This development should raise a warning flag for anyone tempted to automatically attribute all PIVY attacks to threat actors based in China. The ubiquity of off-the-shelf RATs makes determining those responsible an increasing challenge."

Nation-state-sponsored attacks have been linked to a variety of remote access toolkits, or RATs, which can be purchased and customized by an attacker. Once dropped on a victim's system, the malware makes contact with a remote server, giving an attacker the ability to upload additional malware, view and steal data or maneuver to more sensitive systems. Poison Ivy has been in circulation for years, according to researchers, but it's been increasingly used in targeted attacks because of its ability to evade detection. It was used in the RSA SecurID data breach, enabling attackers to steal key pieces of data about the company's core intellectual property.

The remote access tools could lead to more serious damage on the network, leading some experts to warn businesses that may be targeted to consider implementing redundant systems, offline backups and parallel networks.

The attacks analyzed by FireEye were contained in malicious file attachments or hosted in files on Dropbox. The malware was created using a forged Microsoft certificate, making it appear legitimate to signature-based security detection. The FireEye researchers said that the timestamps on some malware samples indicate that Poison Ivy may have been used by Middle Eastern attackers for years.

FireEye also published a Poison Ivy report (.PDF) this week, which aims to shed light on the damage caused by the toolkit. Unlike other remote access toolkits, Poison Ivy uses a strong encryption algorithm to hide what has been stolen from the targeted system, according to the report.

"Understanding why Poison Ivy remains one of the most widely used RATs is easy," FireEye said. "Controlled through a familiar Windows interface, it offers a bevy of handy features: key logging, screen capture, video capturing, file transfers, password theft, system administration, traffic relaying, and more."

Attacks have been active since 2008, according to the report. They were spotted targeting executives in higher education, international health-care organizations, global financial firms and defense industry businesses. Email messages are custom-made, designed to look like purchase orders, research documents and other information.

PUBLISHED AUG. 23, 2013