PoisonIvy

PoisonIvy is a popular remote access tool (RAT) that has been used by many groups. [1] [2] [3]

ID: S0012
Associated Software: Poison Ivy, Darkmoon
Type: MALWARE
Platforms: Windows
Contributors: Darren Spruell
Version: 1.2
Created: 31 May 2017
Last Modified: 06 January 2021

Associated Software Descriptions

Name Description
Poison Ivy

[1] [4]

Darkmoon

[4]

Techniques Used

Domain ID Name Use
Enterprise T1010 Application Window Discovery

PoisonIvy captures window titles.[3]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

PoisonIvy creates run key Registry entries pointing to a malicious executable dropped to disk.[3]

.014 Boot or Logon Autostart Execution: Active Setup

PoisonIvy creates a Registry key in the Active Setup pointing to a malicious executable.[5][6][7]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

PoisonIvy creates a backdoor through which remote attackers can open a command-line interface.[3]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

PoisonIvy creates a Registry subkey that registers a new service. PoisonIvy also creates a Registry entry modifying the Logical Disk Manager service to point to a malicious DLL dropped to disk.[3]

Enterprise T1005 Data from Local System

PoisonIvy creates a backdoor through which remote attackers can steal system information.[3]

Enterprise T1074 .001 Data Staged: Local Data Staging

PoisonIvy stages collected data in a text file.[3]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

PoisonIvy uses the Camellia cipher to encrypt communications.[1]

Enterprise T1105 Ingress Tool Transfer

PoisonIvy creates a backdoor through which remote attackers can upload files.[3]

Enterprise T1056 .001 Input Capture: Keylogging

PoisonIvy contains a keylogger.[1][3]

Enterprise T1112 Modify Registry

PoisonIvy creates a Registry subkey that registers a new system device.[3]

Enterprise T1027 Obfuscated Files or Information

PoisonIvy hides any strings related to its own indicators of compromise.[3]

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

PoisonIvy can inject a malicious DLL into a process.[1][3]

Enterprise T1014 Rootkit

PoisonIvy starts a rootkit from a malicious file dropped to disk.[3]

Groups That Use This Software

ID Name References
G0017 DragonOK

[8]

G0018 admin@338

[9]

G0045 menuPass

[10][11]

G0011 PittyTiger

[12]

G0002 Moafee

[13]

G0081 Tropic Trooper

[14]

G0066 Elderwood

[2]

G0021 Molerats

[15][16][17]

G0006 APT1

[18]

G0093 GALLIUM

[19][20]

G0129 Mustang Panda

[21][22]

References