PoisonIvy

Malware Profile Updated 2 months ago
Download STIX
Preview STIX
PoisonIvy is a malicious software (malware) known for its damaging capabilities, including stealing personal information and disrupting system operations. The malware can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it maintains access across compromised assets, as seen in recent campaigns where threat actors leveraged public exploits such as CVE-2017-11882 to spread Remote Access Trojans (RATs), including PoisonIvy. In addition to this, PoisonIvy has been associated with other malware such as Gh0st, CLUBSEAT, and GROOVY. The GALLIUM PoisonIvy loader was detected in Microsoft Defender ATP, demonstrating the malware's ability to penetrate even robust security systems. A specific instance of this detection is illustrated in Figure 4. Furthermore, PoisonIvy RAT (PIVY) was deployed by threat actors as a second method to maintain access across the compromised assets. It's noteworthy that APT14 threat actors do not typically use zero-day exploits but may leverage those exploits once they are made public. Several backdoors, including NFlog, PoisonIvy, and NewCT, have previously been publicly associated with DragonOK, indicating a possible link between these threats. Other samples in our set appear to be different variants of xCaon, including packed ones, or the PoisonIvy malware, which was also reported as part of the actor’s arsenal. The malware has been tagged under various categories like AutoFocus, DragonOK, FormerFirstRAT, HelloBridge, Japan, NewCT, NFlog, PlugX, PoisonIvy, and Sysget, reflecting its widespread impact and association with multiple cyber threats.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
xCaon
1
xCaon is a malicious software, or malware, that has been used in cyber-espionage operations for several years, particularly by the Chinese-speaking APT actor "IndigoZebra." The earliest identified samples date back to 2014. This malware family has targeted governmental agencies in Central Asia and f
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Microsoft
Loader
Rat
Exploit
Zero Day
Malware
exploited
Exploits
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
PlugXUnspecified
1
PlugX is a notorious malware, typically associated with Chinese threat actors, that has been used in various cyberattacks. This malicious software infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data for ransom. It
DarkmoonUnspecified
1
Darkmoon, also known as Poison Ivy, is a notorious malware often employed in targeted attacks. As a remote access Trojan (RAT), it infiltrates systems to exploit and damage them, typically without the user's knowledge. Darkmoon can infect computers or devices through suspicious downloads, emails, or
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
GALLIUMUnspecified
1
Gallium, also known as Alloy Taurus, is a China-aligned threat actor known for executing actions with malicious intent in the cyber domain. In recent years, Gallium has been associated with various significant cyber-espionage campaigns. The group targeted telecommunication entities in the Middle Eas
DragonOKUnspecified
1
DragonOK, a threat actor group reportedly linked to China, has been associated with various malicious activities, including the deployment of the infamous Remote Access Trojan (RAT) known as FormerFirstRAT. This multi-featured RAT allows threat actors to gain complete control over a targeted machine
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2017-11882Unspecified
1
CVE-2017-11882 is a software vulnerability present in Microsoft's Equation Editor, allowing for the execution of malicious code. This vulnerability was exploited by a tool known as Royal Road, which is shared among various Chinese state-sponsored groups. The tool facilitates the creation of harmful
Source Document References
Information about the PoisonIvy Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers
MITRE
a year ago
GALLIUM: Targeting global telecom
MITRE
a year ago
APT Trends report Q1 2018
MITRE
a year ago
Threat Spotlight: Group 72
MITRE
a year ago
IndigoZebra APT continues to attack Central Asia with evolving tools - Check Point Research
MITRE
a year ago
Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets
MITRE
a year ago
Advanced Persistent Threats (APTs) | Threat Actors & Groups