Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Poison Ivy hacker Trojan still being used in cyberattacks, warns FireEye

Releases free analysis tool

Article comments

Security firm FireEye has released a toolset organisations can use to analyse attacks made using the Poison Ivy Remote Access Trojan (RAT), an underrated “ancient pest” it believes could offer a useful way of getting to grips with today’s most sophisticated Advanced Persistent Threats (APTs).

Called ‘Calamine’, it is not designed to stop Poison Ivy so much as detect and work out whether and how it might be part of a more complex incursion.

As the accompanying report Poison Ivy: Assessing Damage and Extracting Intelligence makes clear, Poison Ivy has been around since 2006 and was later used in a clutch of high profile attacks, most notably that on RSA Security’s SecurID system and the Nitro attacks on chemical firms, both from 2011.

So common has Poison Ivy become that it might be easier to state which attacks it has not been used in. Its success is down to a combination of its ease of use and its ubiquity; the more it has been used, the easier it has become to confuse defenders looking to attribute an attack to a single group of even country.

The purpose of any RAT, including Poison Ivy, is to keylog credentials, scrape screens, steal documents, and manually traverse a network via a compromised resource such as an unpatched server or PC.  Paradoxically perhaps, defenders are now at risk of viewing it as an off-the-shelf, almost generic form of attack FireEye describes as akin to hacker “training wheels,” a threat that can safely be downplayed or even ignored.

“Dismissing this common breed of malware could be a costly mistake. Despite their reputation as a software toy for novice attackers, RATs remain a linchpin of many sophisticated cyberattacks and are used by numerous threat actors,” said FireEye threat intelligence manager, Darien Kindlund.

“Today, we see hundreds of attacks using Poison Ivy targeting very high profile enterprises,” he said.

But as potent as RATs can be they do have one weakness, which is where Calamine comes in – they require realtime, manual control by an attacker and that makes them detectible with the right tools. Calamine came with a module to decrypt remote commands, as well as a layer able to capture the configuration from running malware processes in order to trace and model what they had been doing on a network, FireEye said.

The key was to use RAT detection as the start of the hunt, not the end of it. The presence of a remote attacker inside a network could easily indicate something more complex and serious was occurring.

“RATs are much more personal and may indicate that you are dealing with a dedicated threat actor that s interested in your organization specifically,” said the report’s authors,

Calamine can be downloaded from GitHub via links on the FireEye website. The report, which includes analysis of 194 Poison Ivy attacks since 2008, is available direct.

Earlier this month, FireEye announced details of a $175 million (£115 million) IPO.


More from Techworld

More relevant IT news


Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *