In February 2013, Mandiant published a report exposing APT1, one of the cyber espionage units based in China. They found that APT1 is one of the most prolific cyber espionage groups, having stolen hundreds of terabytes of sensitive proprietary data through Advanced Persistent Threats (APTs). Mandiant concluded that APT1 is likely Chinese government-sponsored and has links with the People’s Liberation Army Unit 61398.
A Remote Access Trojan (RAT) is malware that provides an attacker access and remote control of their victim’s computer system. RATs are a key component of APTs. The Chinese APT1 infiltrated their targets with a RAT named Poison Ivy, and also used their own custom-built RAT. I examine Poison Ivy here in order to get greater insight into RATs.
Poison Ivy is not a new threat. It emerged in 2006, and has had various updates, the last in 2008. Poison Ivy is a malware creation kit that can be configured by the attacker before distributing to the target. It has been available from the Poison Ivy website, as well as through underground websites and forums (such as OpenSC and SweRAT). At one point the Poison Ivy developer (“Jonas”) was offering custom-built versions guaranteed to avoid antivirus detection.
Poison Ivy is structured to operate as client/server architecture – it comprises both a server as well as a client component. PCs infected with the malware become servers that can be controlled remotely by the attacker using the client software. The server software communicates with the client through a TCP connection (the default port is 3460). Communication between the server and client is encrypted. The malware code itself is obfuscated to avoid detection. The server component is only a small file of 7-10KB.
The attacker controlling the Poison Ivy client is able to do a range of malicious activities remotely on the infected PC, such as:
– Download and upload files
– Log keystrokes
– Inject malicious code
– Manipulate the registry
– Screen capture
– Video and audio capture, by manipulating the camera and microphone on the infected PC
– Password stealing
The attacker generally infects the target through an email attachment which the target is enticed to activate through social engineering. Infection can also be via drive-by download. On average, it takes almost a year for an organisation to discover they have been infected with a RAT. During that time the attacker enjoys full remote access to steal whatever he chooses.
The Chinese APT1 attacks were targeted at 141 organisations mainly in the US, but also in the UK, Israel, India, and several other countries. In addition, Poison Ivy has been used successfully in the widely-reported attack on security company RSA, as well as on a number of chemical and defence companies in the US and UK, and on the Israeli Institute for National Security Studies.
A computer security incident response team based in Luxembourg, have undertaken research into the methodologies used by the Chinese hackers. They infiltrated the attacker’s systems to understand how they use Poison Ivy (as well as their custom-built RAT named Terminator). Their report describing how they achieved this makes very interesting reading. The Luxembourg team found that the Chinese hackers kept normal office hours, used more than 300 servers (one per target), and use proxy servers to hide their activities.
As the well-publicised Mandiant report illustrated, Advanced Persistent Threats are a major cyber threat today. Even the most secure organisations are easy targets for RATs. Many mainstream, traditional IT security solutions are becoming less and less effective. Unfortunately organisational IT security tends to be a low risk discipline, slow to change. Compliance often takes higher priority than real security. Clinging to outdated security solutions is rewarded and trying new ideas is risky. Greater courage is required, organisations need to make quicker use of new innovative technology to tackle today’s threats. If you smell a RAT in your system it could well be Poison Ivy or one of it’s relatives.