Pivy

PIVY, a type of malware, is known for its harmful exploits on computers and devices. It infiltrates systems through dubious downloads, emails, or websites, often without the user's awareness. Once inside, it can steal personal information, disrupt operations, or even hold data for ransom. PIVY has been linked to several campaigns, including the menuPass group, which is identified by specific passwords found in the PIVY samples. Three samples use "menuPass" and another uses "keaidestone", leading to high confidence that recent attacks were perpetrated by the menuPass group. FireEye's 2013 paper detailed various campaigns utilizing PIVY and included menuPass as one of them. Additional details were added in a later blog. Unlike PlugX and PIVY, which are used by multiple campaigns, ChChes appears to be unique to this group. In 2016, from September through November, an Advanced Persistent Threat (APT) campaign known as "menuPass" targeted Japanese academics, pharmaceutical companies, and a US-based subsidiary of a Japanese manufacturing organization. Along with using PlugX and Poison Ivy (PIVY), they also deployed a new Trojan called "ChChes." The menuPass group's activities have been well-documented by cybersecurity firms and researchers. In addition to their use of PIVY, they have also employed other malware like PlugX and ChChes in their operations. The latter, according to the Japan Computer Emergency Response Team Coordination Center (JPCERT), seems to be exclusively used by the menuPass group. These consistent patterns of behavior, coupled with the distinctive passwords found in PIVY samples, provide strong evidence linking these cyber-attacks to the menuPass group.