PoisonIvy

PoisonIvy is a popular remote access tool (RAT) that has been used by many groups. [1] [2] [3]

ID: S0012
Associated Software: Poison Ivy, Darkmoon

Type: MALWARE
Contributors: Darren Spruell

Platforms: Windows

Version: 1.0

Associated Software Descriptions

NameDescription
Poison Ivy[1] [4]
Darkmoon[4]

Techniques Used

DomainIDNameUse
EnterpriseT1010Application Window DiscoveryPoisonIvy captures window titles.[3]
EnterpriseT1059Command-Line InterfacePoisonIvy creates a backdoor through which remote attackers can open a command-line interface.[3]
EnterpriseT1005Data from Local SystemPoisonIvy creates a backdoor through which remote attackers can steal system information.[3]
EnterpriseT1074Data StagedPoisonIvy stages collected data in a text file.[3]
EnterpriseT1056Input CapturePoisonIvy contains a keylogger.[1][3]
EnterpriseT1031Modify Existing ServicePoisonIvy creates a Registry entry modifying the Logical Disk Manager service to point to a malicious DLL dropped to disk.[3]
EnterpriseT1112Modify RegistryPoisonIvy creates a Registry subkey that registers a new system device.[3]
EnterpriseT1050New ServicePoisonIvy creates a Registry subkey that registers a new service.[3]
EnterpriseT1027Obfuscated Files or InformationPoisonIvy hides any strings related to its own indicators of compromise.[3]
EnterpriseT1055Process InjectionPoisonIvy can inject a malicious DLL into a process.[1][3]
EnterpriseT1060Registry Run Keys / Startup FolderPoisonIvy creates run key Registry entries pointing to a malicious executable dropped to disk.[3]
EnterpriseT1105Remote File CopyPoisonIvy creates a backdoor through which remote attackers can upload files.[3]
EnterpriseT1014RootkitPoisonIvy starts a rootkit from a malicious file dropped to disk.[3]
EnterpriseT1032Standard Cryptographic ProtocolPoisonIvy uses the Camellia cipher to encrypt communications.[1]
EnterpriseT1065Uncommonly Used PortPoisonIvy opens a backdoor on TCP ports 6868 and 7777.[3]

Groups

Groups that use this software:

admin@338
APT1
DragonOK
Elderwood
menuPass
Moafee
Molerats
PittyTiger
Tropic Trooper

References