PoisonIvy
Associated Software Descriptions |
|
Name | Description |
---|---|
Poison Ivy | (Citation: FireEye Poison Ivy) (Citation: Symantec Darkmoon Sept 2014) |
Breut | (Citation: Novetta-Axiom) |
Darkmoon | (Citation: Symantec Darkmoon Sept 2014) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
PoisonIvy creates run key Registry entries pointing to a malicious executable dropped to disk.(Citation: Symantec Darkmoon Aug 2005) |
.014 | Boot or Logon Autostart Execution: Active Setup |
PoisonIvy creates a Registry key in the Active Setup pointing to a malicious executable.(Citation: Microsoft PoisonIvy 2017)(Citation: paloalto Tropic Trooper 2016)(Citation: FireEye Regsvr32 Targeting Mongolian Gov) |
||
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
PoisonIvy creates a backdoor through which remote attackers can open a command-line interface.(Citation: Symantec Darkmoon Aug 2005) |
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
PoisonIvy creates a Registry subkey that registers a new service. PoisonIvy also creates a Registry entry modifying the Logical Disk Manager service to point to a malicious DLL dropped to disk.(Citation: Symantec Darkmoon Aug 2005) |
Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
PoisonIvy stages collected data in a text file.(Citation: Symantec Darkmoon Aug 2005) |
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
PoisonIvy uses the Camellia cipher to encrypt communications.(Citation: FireEye Poison Ivy) |
Enterprise | T1480 | .002 | Execution Guardrails: Mutual Exclusion |
PoisonIvy creates a mutex using either a custom or default value.(Citation: FireEye Poison Ivy) |
Enterprise | T1056 | .001 | Input Capture: Keylogging |
PoisonIvy contains a keylogger.(Citation: FireEye Poison Ivy)(Citation: Symantec Darkmoon Aug 2005) |
Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection |
PoisonIvy can inject a malicious DLL into a process.(Citation: FireEye Poison Ivy)(Citation: Symantec Darkmoon Aug 2005) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G0066 | Elderwood |
(Citation: Symantec Elderwood Sept 2012) |
(Citation: Cylance Dust Storm) |
||
G1023 | APT5 |
(Citation: Mandiant Advanced Persistent Threats) |
G0093 | GALLIUM |
(Citation: Cybereason Soft Cell June 2019) (Citation: Microsoft GALLIUM December 2019) |
G0006 | APT1 |
(Citation: Mandiant APT1) |
G0018 | admin@338 |
(Citation: FireEye admin@338) |
G0081 | Tropic Trooper |
(Citation: Unit 42 Tropic Trooper Nov 2016) |
G0017 | DragonOK |
(Citation: Operation Quantum Entanglement) |
G0011 | PittyTiger |
(Citation: Villeneuve 2014) |
G0136 | IndigoZebra |
(Citation: Securelist APT Trends Q2 2017) |
G0001 | Axiom |
(Citation: Cisco Group 72) (Citation: Novetta-Axiom) |
G0045 | menuPass |
(Citation: PWC Cloud Hopper Technical Annex April 2017) (Citation: District Court of NY APT10 Indictment December 2018) |
G0002 | Moafee |
(Citation: Haq 2014) |
G0129 | Mustang Panda |
(Citation: Crowdstrike MUSTANG PANDA June 2018) (Citation: Recorded Future REDDELTA July 2020) |
G0021 | Molerats |
(Citation: DustySky) (Citation: DustySky2) (Citation: FireEye Operation Molerats) |
References
- Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.
- FireEye. (2014). POISON IVY: Assessing Damage and Extracting Intelligence. Retrieved September 19, 2024.
- Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
- O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018.
- Payet, L. (2014, September 19). Life on Mars: How attackers took advantage of hope for alien existance in new Darkmoon campaign. Retrieved September 13, 2018.
- Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
- Mandiant. (n.d.). Advanced Persistent Threats (APTs). Retrieved February 14, 2024.
- Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
- MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021.
- Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
- McCormack, M. (2017, September 15). Backdoor:Win32/Poisonivy.E. Retrieved December 21, 2020.
- Ray, V., et al. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved December 18, 2020.
- Anubhav, A., Kizhakkinan, D. (2017, February 22). Spear Phishing Techniques Used in Attacks Targeting the Mongolian Government. Retrieved February 24, 2017.
- FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
- Ray, V. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved November 9, 2018.
- Haq, T., Moran, N., Vashisht, S., Scott, M. (2014, September). OPERATION QUANTUM ENTANGLEMENT. Retrieved November 4, 2015.
- Villeneuve, N., Homan, J. (2014, July 31). Spy of the Tiger. Retrieved September 29, 2015.
- Kaspersky Lab's Global Research & Analysis Team. (2017, August 8). APT Trends report Q2 2017. Retrieved February 15, 2018.
- Esler, J., Lee, M., and Williams, C. (2014, October 14). Threat Spotlight: Group 72. Retrieved January 14, 2016.
- PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
- US District Court Southern District of New York. (2018, December 17). United States v. Zhu Hua Indictment. Retrieved December 17, 2020.
- Haq, T., Moran, N., Scott, M., & Vashisht, S. O. (2014, September 10). The Path to Mass-Producing Cyber Attacks [Blog]. Retrieved November 12, 2014.
- Meyers, A. (2018, June 15). Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA. Retrieved April 12, 2021.
- Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retrieved April 13, 2021.
- ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
- ClearSky Cybersecurity. (2016, June 9). Operation DustySky - Part 2. Retrieved August 3, 2016.
- Villeneuve, N., Haq, H., Moran, N. (2013, August 23). OPERATION MOLERATS: MIDDLE EAST CYBER ATTACKS USING POISON IVY. Retrieved April 1, 2016.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.