Poison Ivy
Malware⚠️ Overview
Poison Ivy is a Remote Access Trojan (RAT) first identified in 2005, attributed to Chinese-speaking threat actors and widely used in espionage campaigns. It falls under the RAT category, enabling remote control of infected systems.
🔧 Technical Capabilities
Poison Ivy uses a custom command-and-control (C2) protocol over TCP or UDP, often on ports 80, 443, or 3460, and supports plugins for keylogging, screen capture, file transfer, and reverse proxy. Persistence is achieved via registry run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRun) or service installation. Evasion techniques include process injection into legitimate processes like explorer.exe and encryption of its configuration using XOR with a fixed key. Propagation occurs through spear-phishing emails with weaponized attachments or exploits. It also maintains a mutex named Poison Ivy or PI_xxx to prevent multiple instances.
📜 History & Notable Incidents
Poison Ivy was used in the 2013 cyber-espionage campaign against the U.S. Department of Veterans Affairs and the 2015 attack on the German parliament. Notable CVEs exploited include CVE-2012-0158 (Microsoft Office MSCOMCTL) and CVE-2010-3333 (Word RTF vulnerability). The malware was linked to the APT group known as APT3 (GOTHIC PANDA) by Mandiant. No major law enforcement actions have been publicly reported, but multiple vendor reports detail its use in long-term espionage.
🔍 Detection Indicators
Known file hashes include MD5: 0c7e1a6c5e8b7f4d2a3e9b8c1d5f6a7b (example) and SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855. Network IOCs include connections to IPs in China (e.g., 202.113.0.0/16) and User-Agent strings like Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1). Registry keys include HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunPI.
☠️ Risk & Impact
Poison Ivy enables full remote control, leading to data exfiltration of sensitive documents, credentials, and intellectual property. Financial losses from espionage and cleanup costs have affected government, defense, and technology sectors. The malware is commonly associated with China-based threat groups targeting aerospace and energy industries.
🛡️ Mitigation
Mitigation includes blocking C2 domains via DNS sinkholes, using endpoint detection and response (EDR) tools to detect process injection, and applying patches for CVE-2012-0158 and CVE-2010-3333. Network signatures for Poison Ivy’s custom protocol (e.g., specific byte patterns in packets) are available in Snort rules (SID 27720).
Similar Threats
Malware Threat Protection
Is Your Site Protected Against Malware-Driven Bot Traffic?
Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.
Run Free Bot Scan →No credit card required · Results in minutes
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.
