Poison Ivy has been freely available since around 2005, and has been implicated in numerous campaigns and attacks. Many of these, including the RSA SecurID breach in 2011, seem to have originated from China. Last week, security firm FireEye published an analysis of both Poison Ivy and some of the campaigns in which it has been used. Now it has published new research warning against the automatic assumption that the use of Poison Ivy (PIVY) indicates Chinese involvement. PIVY is also “being used in a broad campaign of attacks launched from the Middle East.”
FireEye has now found a connection between PIVY and a hacking campaign it calls Molerats operated by a group known as the Gaza Hackers Team. Almost a year ago Molerats was implicated in an attack on Israel that forced the entire police force to temporarily disconnect from the Internet. It was subsequently concluded that this was part of a wider campaign that also attacked Palestinian targets and to a lesser degree the US and UK governments. The primary tool then was XtremeRAT.
Now, however, FireEye has found evidence that Molerats has started to use PIVY as well. Although it was originally thought that this was a new development, FireEye has found a malware sample linked to Molerats that was first observed by VirusTotal in September 2012. “This date is within the timeframe of the original XtremeRat attacks, but the payload in this case was PIVY. This indicates that the attackers have been using PIVY in addition to XtremeRat for longer than we had originally believed.”
The attack vector seems to be fairly standard for PIVY. “We believe that the Molerats attacker uses spear phishing to deliver weaponized RAR files containing their malicious payloads to their victims in at least two different ways. The Molerats actor will in some cases attach the weaponized RAR file directly to their spear-phishing-emails. We also believe that this actor sends spear-phishing emails that include links to RAR files hosted on third-party platforms such as Dropbox.”
The motive for using PIVY is unclear. “We do not know,” says FireEye, “whether using PIVY is an attempt by those behind the Molerats campaign to frame China-based threat actors for their attacks or simply evidence that they have added another effective, publicly-available RAT to its arsenal.” But it does suggest that this usage should stop the automatic tendency for people to assume that any attack using PIVY must originate in China. “The ubiquity of off-the-shelf RATs makes determining those responsible an increasing challenge,” it says.