FireEye Labs has released a set of tools with the sole purpose of helping organisations detect and examine infections by the Poison Ivy RAT. Cleverly called Calamine, this collection of free tools promises to give security professionals the opportunity to identify the indicators of a Poison Ivy attack including the process mutex and password, decoded command and control traffic and a malware activity timeline.
By connecting these facets of the attack, and correlating them with multiple attacks displaying similar identifying features, FireEye hopes that the bad guys can be better profiled and combining big-picture intelligence with granular evidential detail organisational IT defence can be enhanced.
Now you might be thinking that Poison Ivy is old news, after all this particular Remote Access Trojan is not only considered the stuff of script kiddie n00b hackers but at eight years of age it's also been around long enough to be well and truly in the detection radar. Yet FireEye Labs research suggests quite the opposite, having discovered it to be at the heart of such big breaches as a RSA SecurID data attack in 2011 and insisting it has evidence of Poison Ivy being involved in "hundreds of attacks" that target very high profile enterprises.
Attacks involving several ongoing nation-state threat 'actors' identified by FireEye such as:
- admin@338: Active since 2008, this actor mostly targets the financial services industry. FireEye has also observed activity from this actor in telecom, government, and defense sectors.
- th3bug: First detected in 2009, FireEye has observed this actor targeting a number of industries, primarily higher education and health care.
- menuPass: Also first detected in 2009, FireEye research suggests that this actor targets U.S. and overseas defense contractors.
Darien Kindlund, manager of threat intelligence at FireEye, says "Understanding why Poison Ivy remains one of the most widely used RATs is easy. Controlled through a familiar Windows interface, it offers a bevy of handy features: key logging, screen capture, video capturing, file transfers, password theft, system administration, traffic relaying, and more."