PoisonIvy

PoisonIvy is a malicious software (malware) known for its damaging capabilities, including stealing personal information and disrupting system operations. The malware can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it maintains access across compromised assets, as seen in recent campaigns where threat actors leveraged public exploits such as CVE-2017-11882 to spread Remote Access Trojans (RATs), including PoisonIvy. In addition to this, PoisonIvy has been associated with other malware such as Gh0st, CLUBSEAT, and GROOVY. The GALLIUM PoisonIvy loader was detected in Microsoft Defender ATP, demonstrating the malware's ability to penetrate even robust security systems. A specific instance of this detection is illustrated in Figure 4. Furthermore, PoisonIvy RAT (PIVY) was deployed by threat actors as a second method to maintain access across the compromised assets. It's noteworthy that APT14 threat actors do not typically use zero-day exploits but may leverage those exploits once they are made public. Several backdoors, including NFlog, PoisonIvy, and NewCT, have previously been publicly associated with DragonOK, indicating a possible link between these threats. Other samples in our set appear to be different variants of xCaon, including packed ones, or the PoisonIvy malware, which was also reported as part of the actor’s arsenal. The malware has been tagged under various categories like AutoFocus, DragonOK, FormerFirstRAT, HelloBridge, Japan, NewCT, NFlog, PlugX, PoisonIvy, and Sysget, reflecting its widespread impact and association with multiple cyber threats.