Openhunting Threat Library

Poison Ivy

Poison Ivy, pivy, poisonivy, Gen:Trojan.Heur.PT, Darkmoon, Chymine, SPIVY
(Type: Reconnaissance, Backdoor, Info stealer, Credential stealer, Exfiltration)

Poison Ivy is a popular remote access tool (RAT) that has been used by many groups.

[News Analysis] Trends:

Total Trend: 51

Trend Per Year
4
2010
1
2011
2
2013
2
2014
1
2015
3
2016
4
2017
2
2018
5
2019
15
2020
5
2021
7
2022


Trend Per Month
2
2010
1
Jan 2010
1
Jul 2010
1
2011
1
Aug 2013
1
Oct 2013
1
2014
1
Sep 2014
1
Feb 2015
2
Apr 2016
1
Nov 2016
1
May 2017
2
Aug 2017
1
Sep 2017
1
May 2018
1
Sep 2018
1
2019
1
Jun 2019
1
Jul 2019
1
Nov 2019
1
Dec 2019
5
2020
2
Jan 2020
2
Mar 2020
2
Aug 2020
3
Sep 2020
1
Oct 2020
2
Jan 2021
1
Feb 2021
1
Mar 2021
1
Jun 2021
2
May 2022
3
Jul 2022
1
Aug 2022
1
Nov 2022



[News Analysis] News Mention Another Threat Name:

55 - PlugX101 - Poison Ivy2 - Chinoxy4 - Raindrop4 - SUNBURST4 - TEARDROP4 - WastedLocker1 - APT209 - FormerFirstRAT7 - IsSpace7 - NewCT6 - Tidepool6 - DragonOK5 - Rovnix5 - ShadowPad5 - Zupdax3 - HUI Loader26 - Quasar RAT14 - Icefog5 - PcShare5 - QuickHeal5 - DAGGER PANDA6 - TA42828 - Ghost RAT3 - NoxPlayer3 - Red Dev 1722 - MimiKatz4 - Trochilus RAT14 - Cotx RAT4 - nccTrojan4 - Tmanger25 - CHINACHOPPER21 - Cobalt Strike19 - Empire Downloader7 - 8.t Dropper4 - BYEBY30 - Enfal13 - Korlia3 - HenBox3 - Farseer16 - BLACKCOFFEE10 - Datper10 - DDKONG47 - Derusbi10 - NewCore RAT10 - PLAINTEE10 - Sisfader7 - Anel7 - ChChes7 - RedLeaves7 - APT1017 - 9002 RAT25 - HttpBrowser10 - HyperBro10 - owaauth27 - ZXShell10 - APT275 - APT198 - DeputyDog8 - HiKit8 - APT175 - BlackShades5 - DarkComet5 - Xtreme RAT5 - Molerats18 - HTran5 - GALLIUM16 - MESSAGETAP16 - TSCookie16 - ACEHASH16 - HIGHNOON16 - NetWire RC16 - poisonplug16 - pupy4 - Operation Soft Cell4 - APT2418 - BlackPOS18 - CryptoLocker18 - Elise18 - EvilGrab18 - Gameover P2P18 - Medusa18 - Mirage18 - Naikon18 - NetTraveler18 - pirpi18 - Sakula RAT26 - Sinowal18 - sykipot18 - taidoor3 - SysGet2 - Bozok2 - TEMPER PANDA1 - Nitro0 - Darkmoon9 - Bredolab9 - Conficker9 - Cutwail9 - KoobFace9 - Oderoor9 - Rustock9 - Szribi9 - Zeus


[TTP Analysis] Technique Performance:

reconnaissance
0/43
resource development
0/45
initial access
0/19
execution
1/36
persistence
3/113
privilege escalation
4/96
defense evasion
4/184
credential access
1/63
discovery
1/44
lateral movement
0/22
collection
3/37
command and control
2/39
exfiltration
0/18
impact
0/26


[TTP Analysis] Mitre Attack Matrix:

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
T1059.003
Command And Scripting Interpreter : Windows Command Shell
T1547.001
Boot Or Logon Autostart Execution : Registry Run Keys / Startup Folder
T1547.014
Boot Or Logon Autostart Execution : Active Setup
T1543.003
Create Or Modify System Process : Windows Service
T1547.001
Boot Or Logon Autostart Execution : Registry Run Keys / Startup Folder
T1547.014
Boot Or Logon Autostart Execution : Active Setup
T1543.003
Create Or Modify System Process : Windows Service
T1055.001
Process Injection : Dynamic-link Library Injection
T1112
Modify Registry
T1027
Obfuscated Files Or Information
T1055.001
Process Injection : Dynamic-link Library Injection
T1014
Rootkit
T1056.001
Input Capture : Keylogging
T1010
Application Window Discovery
T1005
Data From Local System
T1074.001
Data Staged : Local Data Staging
T1056.001
Input Capture : Keylogging
T1573.001
Encrypted Channel : Symmetric Cryptography
T1105
Ingress Tool Transfer


[Infrastructure Analysis] Based on Related IOC:

IP:Port Timestamp
5.153.123.11:34602023-11-25
94.98.183.32:34602023-11-23
94.98.229.240:34602023-11-19
94.49.183.29:34602023-11-10
Domain Timestamp
URL Timestamp


[Target Analysis] Region/Sector:

No information


References:

News Basic Information Indicator of Compromise Mitre Attack

News Article (Credit @Malpedia)

Evolution of the PlugX loader

2022-11-30 by Matsumoto from FFRI Security

A Tale of PivNoxy and Chinoxy Puppeteer

2022-08-22 by Shunichi Imano from Fortinet

Space Invaders: Cyber Threats That Are Out Of This World

2022-07-31 by BushidoToken from BushidoToken Blog

Crawling Taurus

2022-07-18 by Unit 42 from Palo Alto Networks Unit 42

Shallow Taurus

2022-07-18 by Unit 42 from Palo Alto Networks Unit 42

Space Pirates: analyzing the tools and connections of a new hacker group

2022-05-17 by Positive Technologies from Positive Technologies

Analysis of HUI Loader

2022-05-16 by Shusei Tomonaga from JPCERT/CC

Threat Activity Group RedFoxtrot Linked to China’s PLA Unit 69010; Targets Bordering Asian Countries

2021-06-16 by Insikt Group® from Recorded Future

China-linked TA428 Continues to Target Russia and Mongolia IT Companies

2021-03-17 by Insikt Group® from Recorded Future

Operation NightScout: Supply‑chain attack targets online gaming in Asia

2021-02-01 by Ignacio Sanmillan from ESET Research

Cracking a Soft Cell is Harder Than You Think

2021-01-15 by Markus Neis from Swisscom

Operation LagTime IT: colourful Panda footprint

2021-01-08 by Fumio Ozawa from Youtube (Virus Bulletin)

Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions

2020-10-01 by US-CERT from US-CERT

Operation LagTime IT: colourful Panda footprint

2020-09-30 by Fumio Ozawa from NTT Security

Operation LagTime IT: colourful Panda footprint (Slides)

2020-09-30 by Fumio Ozawa from NTT Security

RiskIQ: Adventures in Cookie Land - Part 2

2020-09-16 by Jon Gross from RiskIQ

Operation Lagtime IT: Colourful Panda Footprint

2020-08-28 by Fumio Ozawa from NTT

Operation LagTime IT: Colorful Panda Footprint

2020-08-19 by Fumio Ozawa from NTT Security

Vicious Panda: The COVID Campaign

2020-03-12 by Check Point Research from Check Point

Pulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation-state adversary

2020-03-02 by Alex Hinchliffe from Virus Bulletin

An Overhead View of the Royal Road

2020-01-29 by nao_sec from nao_sec blog

TA428 Group abusing recent conflict between Iran and USA

2020-01-09 by Jagaimo Kawaii from Lab52

BRONZE RIVERSIDE

2020 by SecureWorks from Secureworks

BRONZE UNION

2020 by SecureWorks from Secureworks

BRONZE FIRESTONE

2020 by SecureWorks from Secureworks

BRONZE KEYSTONE

2020 by SecureWorks from Secureworks

ALUMINUM SARATOGA

2020 by SecureWorks from Secureworks

GALLIUM: Targeting global telecom

2019-12-12 by Microsoft Threat Intelligence Center from Microsoft

Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions

2019-11-19 by Kelli Vanderlee from FireEye

Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia

2019-07-23 by Michael Raggi from Proofpoint

OPERATION SOFT CELL: A WORLDWIDE CAMPAIGN AGAINST TELECOMMUNICATIONS PROVIDERS

2019-06-25 by Cybereason Nocturnus from Cybereason

A vine climbing over the Great Firewall: A long-term attack against China

2019 by Lion Gu from Virus Bulletin

Poison Ivy Group and the Cyberespionage Campaign Against Chinese Military and Goverment

2018-09-21 by Qihoo 360 from Qihoo 360 Technology

IR in Heterogeneous Environment

2018-05-15 by Keven Murphy from BSides Detroit

Deep Analysis of New Poison Ivy/PlugX Variant - Part II

2017-09-15 by Xiaopeng Zhang from Fortinet

Analysing a recent Poison Ivy sample

2017-08-31 by Ahmed Zaki from NCC Group

Deep Analysis of New Poison Ivy Variant

2017-08-23 by Xiaopeng Zhang from Fortinet

PittyTiger

2017-05-31 by MITRE ATT&CK from MITRE

Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy

2016-11-22 by Vicky Ray from Palo Alto Networks Unit 42

New Poison Ivy Activity Targeting Myanmar, Asian Countries

2016-04-26 by Jason Jones from Github (CyberMonitor)

New Poison Ivy RAT Variant Targets Hong Kong Pro-Democracy Activists

2016-04-22 by Micah Yates from Palo Alto Networks Unit 42

CrowdStrike Global Threat Intel Report 2014

2015-02-06 by CrowdStrike from CrowdStrike

Recent Watering Hole Attacks Attributed to APT Group “th3bug” Using Poison Ivy

2014-09-19 by Jen Miller-Osborn from Palo Alto Networks Unit 42

Operation Quantum Entanglement

2014 by FireEye from FireEye

Know Your Enemy: Tracking A Rapidly Evolving APT Actor

2013-10-31 by Thoufique Haq from FireEye

Operation Molerats: Middle East Cyber Attacks Using Poison Ivy

2013-08-23 by Nart Villeneuve from FireEye

The Nitro Attacks: Stealing Secrets from the Chemical Industry

2011 by Erica Eng from Symantec

CVE-2010-2568 keylogger Win32/Chymine.A

2010-07-30 by Mila Parkour from Contagiodump Blog

Jan 17 Trojan Darkmoon.B EXE Haiti relief from santi_nidas@yahoo.com 17 Jan 2010 13:15:02 -0800 PST

2010-01-17 by Mila Parkour from Contagiodump Blog

Trojan-Downloader:W32/Chymine.A

2010 by _ from F-Secure

State of Malware: Family Ties

2010 by Ero Carrera from Mandiant

Basic Information (Credit @etda.or.th)

Tool: Poison Ivy

Names: Poison Ivy, pivy, poisonivy, Gen:Trojan.Heur.PT, Darkmoon, Chymine, SPIVY

Description: Poison Ivy is a popular remote access tool (RAT) that has been used by many groups.

Category: Malware

Type: Reconnaissance, Backdoor, Info stealer, Credential stealer, Exfiltration

Information: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf

Information: https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-poison-ivy-variant.html

Information: https://blog.fortinet.com/2017/09/15/deep-analysis-of-new-poison-ivy-plugx-variant-part-ii

Information: http://contagiodump.blogspot.com/2010/01/jan-17-trojan-darkmoonb-exe-haiti.html

Information: https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/analysing-a-recent-poison-ivy-sample/

Information: https://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/

Information: https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html

Information: https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html

Information: https://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/

Information: http://blogs.360.cn/post/APT_C_01_en.html

Information: https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/

Mitre-attack: https://attack.mitre.org/software/S0012/

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.poison_ivy

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.darkmoon

Alienvault-otx: https://otx.alienvault.com/browse/pulses?q=tag:Poison%20Ivy

Last-card-change: 2022-12-29

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

Indicators of Compromise (Credit @ThreatFox)

IP:PORT
  • 5.153.123.11:3460
  • 94.98.183.32:3460
  • 94.98.229.240:3460
  • 94.49.183.29:3460
MD5_HASH
  • c616002f3cce0fd52d6ead8621a9f1f1

TTP Info (Credit @Mitre)

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
T1059.003
COMMAND AND SCRIPTING INTERPRETER : WINDOWS COMMAND SHELL
poisonivy creates a backdoor through which remote attackers can open a command-line interface.
T1547.001
BOOT OR LOGON AUTOSTART EXECUTION : REGISTRY RUN KEYS / STARTUP FOLDER
poisonivy creates run key registry entries pointing to a malicious executable dropped to disk.
T1547.014
BOOT OR LOGON AUTOSTART EXECUTION : ACTIVE SETUP
poisonivy creates a registry key in the active setup pointing to a malicious executable.
T1543.003
CREATE OR MODIFY SYSTEM PROCESS : WINDOWS SERVICE
poisonivy creates a registry subkey that registers a new service. poisonivy also creates a registry entry modifying the logical disk manager service to point to a malicious dll dropped to disk.
T1547.001
BOOT OR LOGON AUTOSTART EXECUTION : REGISTRY RUN KEYS / STARTUP FOLDER
poisonivy creates run key registry entries pointing to a malicious executable dropped to disk.
T1547.014
BOOT OR LOGON AUTOSTART EXECUTION : ACTIVE SETUP
poisonivy creates a registry key in the active setup pointing to a malicious executable.
T1543.003
CREATE OR MODIFY SYSTEM PROCESS : WINDOWS SERVICE
poisonivy creates a registry subkey that registers a new service. poisonivy also creates a registry entry modifying the logical disk manager service to point to a malicious dll dropped to disk.
T1055.001
PROCESS INJECTION : DYNAMIC-LINK LIBRARY INJECTION
poisonivy can inject a malicious dll into a process.
T1112
MODIFY REGISTRY
poisonivy creates a registry subkey that registers a new system device.
T1027
OBFUSCATED FILES OR INFORMATION
poisonivy hides any strings related to its own indicators of compromise.
T1055.001
PROCESS INJECTION : DYNAMIC-LINK LIBRARY INJECTION
poisonivy can inject a malicious dll into a process.
T1014
ROOTKIT
poisonivy starts a rootkit from a malicious file dropped to disk.
T1056.001
INPUT CAPTURE : KEYLOGGING
poisonivy contains a keylogger.
T1010
APPLICATION WINDOW DISCOVERY
poisonivy captures window titles.
T1005
DATA FROM LOCAL SYSTEM
poisonivy creates a backdoor through which remote attackers can steal system information.
T1074.001
DATA STAGED : LOCAL DATA STAGING
poisonivy stages collected data in a text file.
T1056.001
INPUT CAPTURE : KEYLOGGING
poisonivy contains a keylogger.
T1573.001
ENCRYPTED CHANNEL : SYMMETRIC CRYPTOGRAPHY
poisonivy uses the camellia cipher to encrypt communications.
T1105
INGRESS TOOL TRANSFER
poisonivy creates a backdoor through which remote attackers can upload files.