Skip to content

Latest commit

 

History

History
84 lines (66 loc) · 5.03 KB

poison-ivy.md

File metadata and controls

84 lines (66 loc) · 5.03 KB
ID X0014
Type Remote Access Trojan
Aliases None
Platforms Windows
Year 2005
Associated ATT&CK Software PoisonIvy

Poison Ivy

Poison Ivy is a Remote Access Trojan (RAT).

ATT&CK Techniques

See ATT&CK: Poison Ivy - Techniques Used.

Enhanced ATT&CK Techniques

Name Use
Defense Evasion::Process Injection (E1055) Code is injected into explorer.exe. [2]
Collection::Input Capture (E1056) Poison Ivy can capture audio and video. [2]
Collection::Keylogging (F0002) Poison Ivy can capture keystrokes. [2]
Persistence::Registry Run Keys / Startup Folder (F0012) To start itself at system boot, Poison Ivy adds registry entries. [4]
Execution::Command and Scripting Interpreter (E1059) After the Poison Ivy server is running on the target machine, the attacker uses a Windows GUI client to control the target computer. [1]
Anti-Static Analysis::Executable Code Obfuscation::Stack Strings (B0032.017) A Poison Ivy variant encrypts all its strings. [3]
Command and Control::Ingress Tool Transfer (E1105) The Poison Ivy implant is run on the target machine. [2]
Defense Evasion::Obfuscated Files or Information (E1027) The malware obfuscates files. [2]

MBC Behaviors

Name Use
Impact::Remote Access (B0022) After the Poison Ivy server is running on the target machine, the attacker uses a Windows GUI client to control the target computer. [1]
Cryptography::Encrypt Data::Camellia (C0027.003) Poison Ivy's custom network protocol over TCP is encrypted using Camellia cipher with a 256-bit key. [2]
Process::Create Mutex (C0042) Poison Ivy has a default process mutex, but it can be altered at build time. [3]
Anti-Behavioral Analysis::Debugger Detection::Hardware Breakpoints (B0001.005) A Poison Ivy variant checks for breakpoints and exits immediately if found. [3]
Discovery::Analysis Tool Discovery (B0013) A Poison Ivy variant runs a thread to check if any analysis tools are running by creating specially named pipes that are created by various analysis tools. If one of the named pipes cannot be created, it means one of the analysis tools is running. [3]
Discovery::Analysis Tool Discovery::Known Windows Class Name (B0013.010) A Poison Ivy variant goes through all the running program windows to check if any Windows class name contains a special string to determine if an analysis tool is running. [3]
Process::Check Mutex (C0043) A Poison Ivy variant checks if the wireshark-is-running{} named mutex object exists. [3]
Anti-Behavioral Analysis::Debugger Detection::IsDebuggerPresent (B0001.008) A Poison Ivy variant uses the IsDebuggerPresent API function call to check if the process is running in a debugger. [3]
Communication::Interprocess Communication::Write Pipe (C0003.004) Poison Ivy writes pipes. [5]
File System::Read File (C0051) Poison Ivy reads files on Windows. [5]
File System::Write File (C0052) Poison Ivy writes files on Windows. [5]
Operating System::Registry::Query Registry Value (C0036.006) Poison Ivy queries or enumerates registry values. [5]

Indicators of Compromise

SHA256 Hashes

  • 84d90250568f26328394ac2941fe7be266d43b71309caf40eb8863b38a39a506
  • 4d43c64d776a52ac5a0831aa879305c0eabb452ac5131e1b381598ad7e83cc77

References

[1] https://www.cyber.nj.gov/threat-center/threat-profiles/trojan-variants/poison-ivy

[2] https://www.mandiant.com/sites/default/files/2021-09/rpt-poison-ivy.pdf

[3] https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-poison-ivy-variant

[4] https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/poisonivy

[5] capa v4.0, analyzed at MITRE on 10/12/2022