Security firm FireEye has released a toolset organisations can use to analyse attacks made using the Poison Ivy Remote Access Trojan (RAT), an underrated “ancient pest” it believes could offer a useful way of getting to grips with today’s most sophisticated Advanced Persistent Threats (APTs).
Called ‘Calamine’, it is not designed to stop Poison Ivy so much as detect and work out whether and how it might be part of a more complex incursion.
As the accompanying report Poison Ivy: Assessing Damage and Extracting Intelligence makes clear, Poison Ivy has been around since 2006 and was later used in a clutch of high profile attacks, most notably that on RSA Security’s SecurID system and the Nitro attacks on chemical firms, both from 2011.
So common has Poison Ivy become that it might be easier to state which attacks it has not been used in. Its success is down to a combination of its ease of use and its ubiquity; the more it has been used, the easier it has become to confuse defenders looking to attribute an attack to a single group of even country.
The purpose of any RAT, including Poison Ivy, is to keylog credentials, scrape screens, steal documents, and manually traverse a network via a compromised resource such as an unpatched server or PC. Paradoxically perhaps, defenders are now at risk of viewing it as an off-the-shelf, almost generic form of attack FireEye describes as akin to hacker “training wheels,” a threat that can safely be downplayed or even ignored.
“Dismissing this common breed of malware could be a costly mistake. Despite their reputation as a software toy for novice attackers, RATs remain a linchpin of many sophisticated cyberattacks and are used by numerous threat actors,” said FireEye threat intelligence manager, Darien Kindlund.
“Today, we see hundreds of attacks using Poison Ivy targeting very high profile enterprises,” he said.
But as potent as RATs can be they do have one weakness, which is where Calamine comes in – they require realtime, manual control by an attacker and that makes them detectible with the right tools. Calamine came with a module to decrypt remote commands, as well as a layer able to capture the configuration from running malware processes in order to trace and model what they had been doing on a network, FireEye said.
The key was to use RAT detection as the start of the hunt, not the end of it. The presence of a remote attacker inside a network could easily indicate something more complex and serious was occurring.
“RATs are much more personal and may indicate that you are dealing with a dedicated threat actor that s interested in your organization specifically,” said the report’s authors,
Earlier this month, FireEye announced details of a $175 million (£115 million) IPO.