Poison Ivy: Assessing Damage and Extracting Intelligence Threat Report This report spotlights Poison Ivy (PIVY), a RAT that remains popular and effective a full eight years after its release, despite its age and familiarity in IT security circles. Poison Ivy is a remote access tool that is freely available for download from its official web site at www.poisonivy-rat.com. First released in 2005, the tool has gone unchanged since 2008 with version 2.3.2. Poison Ivy includes features common to most Windows-based RATs, including key logging, screen capturing, video capturing, file transfers, system administration, password theft, and traffic relaying. Poison Ivy's wide availability and easy-to-use features make it a popular choice for all kinds of criminals. But it is probably most notable for its role in many high profile, targeted APT attacks. These APTs pursue specific targets, using RATs to maintain a persistent presence within the target's network. They move laterally and escalate system privileges to extract sensitive information-whenever the attacker wants to do so. Because some RATs used in targeted attacks are widely available, determining whether an attack is part of a broader APT campaign can be difficult. Equally challenging is identifying malicious traffic to determine the attacker's post-compromise activities and assess overall damage - these RATs often encrypt their network communications after the initial exploit. In 2011, three years after the most recent release of PIVY, attackers used the RAT to compromise security firm RSA and steal data about its SecureID authentication system. That data was subsequently used in other attacks. The RSA attack was linked to Chinese threat actors and described at the time as extremely sophisticated. Exploiting a zero-day vulnerability, the attack delivered PIVY as the payload. It was not an isolated incident. The campaign appears to have started in 2010, with many other companies compromised. PIVY also played a key role in the 2011 campaign known as Nitro that targeted chemical makers, government agencies, defense contractors, and human rights groups. Still active a year later, the Nitro attackers used a zero-day vulnerability in Java to deploy PIVY in 2012. Just recently, PIVY was the payload of a zero-day exploit in Internet Explorer used in what is known as a "strategic web compromise" attack against visitors to a U.S. government website and a variety of others. RATs require live, direct, real-time human interaction by the APT attacker. This characteristic is distinctly different from crimeware (malware focused on cybercrime), where the criminal can issue commands to their botnet of compromised endpoints whenever they please and set them to work on a common goal such as a spam relay. In contrast, RATs are much more personal and may indicate that you are dealing with a dedicated threat actor that is interested in your organization specifically. //node() Copyright 2013 FireEye, Inc. MITRE Transformer/Translator FireEye, Inc. Initial Author 2013-08-21T00:00:00Z 2014-02-20T00:00:00Z http://www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf Poison Ivy (PIVY) Poison Ivy is a remote access tool that is freely available for download from its official web site at www.poisonivy-rat.com. First released in 2005, the tool has gone unchanged since 2008 with version 2.3.2. Poison Ivy includes features common to most Windows-based RATs, including key logging, screen capturing, video capturing, file transfers, system administration, password theft, and traffic relaying. Poison Ivy's wide availability and easy-to-use features make it a popular choice for all kinds of criminals. But it is probably most notable for its role in many high profile, targeted APT attacks. These APTs pursue specific targets, using RATs to maintain a persistent presence within the target's network. They move laterally and escalate system privileges to extract sensitive information-whenever the attacker wants to do so.4,5 Because some RATs used in targeted attacks are widely available, determining whether an attack is part of a broader APT campaign can be difficult. Equally challenging is identifying malicious traffic to determine the attacker's post-compromise activities and assess overall damage-these RATs often encrypt their network communications after the initial exploit. In 2011, three years after the most recent release of PIVY, attackers used the RAT to compromise security firm RSA and steal data about its SecureID authentication system. That data was subsequently used in other attacks. The RSA attack was linked to Chinese threat actors and described at the time as extremely sophisticated. Exploiting a zero-day vulnerability, the attack delivered PIVY as the payload. It was not an isolated incident. The campaign appears to have started in 2010, with many other companies compromised. PIVY also played a key role in the 2011 campaign known as Nitro that targeted chemical makers, government agencies, defense contractors, and human rights groups. Still active a year later, the Nitro attackers used a zero-day vulnerability in Java to deploy PIVY in 2012. Just recently, PIVY was the payload of a zero-day exploit in Internet Explorer used in what is known as a "strategic web compromise" attack against visitors to a U.S. government website and a variety of others. RATs require live, direct, real-time human interaction by the APT attacker. This characteristic is distinctly different from crimeware (malware focused on cybercrime), where the criminal can issue commands to their botnet of compromised endpoints whenever they please and set them to work on a common goal such as a spam relay. In contrast, RATs are much more personal and may indicate that you are dealing with a dedicated threat actor that is interested in your organization specifically. Poison Ivy (PIVY) Spear Phishing An attacker targets a specific user or group with a Phishing (CAPEC-98) attack tailored to a category of users in order to have maximum relevance and deceptive capability. Spear Phishing is an enhanced version of the Phishing attack targeted to a specific user or group. The quality of the targeted email is usually enhanced by appearing to come from a known or trusted entity. If the email account of some trusted entity has been compromised the message may be digitally signed. The message will contain information specific to the targeted users that will enhance the probability that they will follow the URL to the compromised site. For example, the message may indicate knowledge of the targets employment, residence, interests, or other information that suggests familiarity. As soon as the user follows the instructions in the message, the attack proceeds as a standard Phishing attack. Spear Phishing Strategic Web Compromise A Strategic Web Compromise is a targeted attack utilizing third party web sites/resources. The goal is not large-scale malware distribution through mass compromises. Instead the attackers place their exploit code on websites that cater towards a particular set of visitors that they might be interested in. In the past few years we have witnessed several strategic web compromises of organizations in a variety of fields with a recurring focus on those involved with freedom of speech, human rights, defense, foreign policy and foreign relations. In these cases, normally trusted websites have been compromised to serve up malicious code designed to give backdoor access into the systems of unsuspecting visitors. In general a well patched system will be immune from many of the attacks, but in several cases previously unknown 0-day exploits (no available patch) have found their way onto these sites - in short the average visitor may not have much of a chance to defend themselves. Strategic Web Compromise PIVY Variant (140e728871eff241e0148363b2931b1d) 140e728871eff241e0148363b2931b1d Variant Of PIVY Variant (767d04f72f5941326f11f8927cf3697b) 767d04f72f5941326f11f8927cf3697b Variant Of PIVY Variant (03e0271d12a24050da632675b14091c1) 03e0271d12a24050da632675b14091c1 Variant Of PIVY Variant (87133a339492ecb5142a93c7bbfd3805) 87133a339492ecb5142a93c7bbfd3805 Variant Of PIVY Variant (707a4493775fd9c959861dcf04f18283) 707a4493775fd9c959861dcf04f18283 Variant Of Victim Targeting: admin338 Spear Phishing Attack Pattern as practiced by admin338 The preferred attack vector used by admin338 is spear-phishing emails. Using content that is relevant to the target, these emails are designed to entice the target to open an attachment that contains the malicious PIVY server code. The content of the spear-phishing emails and the decoy documents opened after exploitation tend to be in English. Variant Of Targets PIVY Variant (e765c69b11860c4f1b84276278991253) e765c69b11860c4f1b84276278991253 Variant Of PIVY Variant (e74d62dfdc308df3038e61dfc4e4256) e74d62dfdc308df3038e61dfc4e4256 Variant Of PIVY Variant (8087d49e7bb391e0ba6e482f931b0ad5) 8087d49e7bb391e0ba6e482f931b0ad5 Variant Of PIVY Variant (0a43013eef1c2ffba36e3c29512c89a2) 0a43013eef1c2ffba36e3c29512c89a2 Variant Of PIVY Variant (808e21d6efa2884811fbd0adf67fda78) 808e21d6efa2884811fbd0adf67fda78 Variant Of PIVY Variant (bc90b4593b7b631a78a8305a873d6d5c) bc90b4593b7b631a78a8305a873d6d5c Variant Of PIVY Variant (be6e72ad1b1ed2685a23dfe1b36f03cc) be6e72ad1b1ed2685a23dfe1b36f03cc Variant Of PIVY Variant (5032ff32a41748bdb40df0fd581cd669) 5032ff32a41748bdb40df0fd581cd669 Variant Of PIVY Variant (0323de551aa10ca6221368c4a73732e6) 0323de551aa10ca6221368c4a73732e6 Variant Of PIVY Variant (4713557e3ed2ced62ceccbe4d07314b4) 4713557e3ed2ced62ceccbe4d07314b4 Variant Of PIVY Variant (0678645e45fcd3da84ab27122d6775a9) 0678645e45fcd3da84ab27122d6775a9 Variant Of PIVY Variant (3c9a177a39e09e9a4ec4f09c029f5cb2) 3c9a177a39e09e9a4ec4f09c029f5cb2 Variant Of PIVY Variant (51d9e2993d203bd43a502a2b1e1193da) 51d9e2993d203bd43a502a2b1e1193da Variant Of PIVY Variant (c977d6e9c7844a1c8d6db1b6a9aba497) c977d6e9c7844a1c8d6db1b6a9aba497 Variant Of PIVY Variant (02ac495eb31a2405fce287565b590a1f) 02ac495eb31a2405fce287565b590a1f Variant Of PIVY Variant (1f43738b1f67266fdafd73235acbf338) 1f43738b1f67266fdafd73235acbf338 Variant Of PIVY Variant (8010cae3e8431bb11ed6dc9acabb93b7) 8010cae3e8431bb11ed6dc9acabb93b7 Variant Of PIVY Variant (ce8112de474c22c1407ce94245c2d1de) ce8112de474c22c1407ce94245c2d1de Variant Of PIVY Variant (026871ea3d6cbbeb90fea6bf2906cc12) 026871ea3d6cbbeb90fea6bf2906cc12 Variant Of PIVY Variant (db815161022fcecf282b40745f72d9fc) db815161022fcecf282b40745f72d9fc Variant Of PIVY Variant (6cf2f645395fbb64bbc14fb8993e2eea) 6cf2f645395fbb64bbc14fb8993e2eea Variant Of PIVY Variant (4ffcd711fcfe28d3a6dcac244c552efb) 4ffcd711fcfe28d3a6dcac244c552efb Variant Of PIVY Variant (a5232ea8745e2d7f7740d1d222e2364f) a5232ea8745e2d7f7740d1d222e2364f Variant Of PIVY Variant (ef90df225101836952ad7e91b55b30cd) ef90df225101836952ad7e91b55b30cd Variant Of PIVY Variant (070d1e5c9299afa47df25e63572a3ae8) 070d1e5c9299afa47df25e63572a3ae8 Variant Of PIVY Variant (6e99585c3fbd4f3a55bd8f604cb35f38) 6e99585c3fbd4f3a55bd8f604cb35f38 Variant Of PIVY Variant (8d36fd85d9c7d1f4bb170a28cc23498a) 8d36fd85d9c7d1f4bb170a28cc23498a Variant Of PIVY Variant (330ddac1f605ff8abf60880c584ed797) 330ddac1f605ff8abf60880c584ed797 Variant Of PIVY Variant (37f70717f549f1938e5785527e56978d) 37f70717f549f1938e5785527e56978d Variant Of Victim Targeting: th3bug Strategic Web Compromise Attack Pattern as practiced by th3bug Unlike other users of PIVY (admin@338 and menuPass), th3bug does not appear to rely on spear phishing to distribute PIVY. Instead, attacks attributed to th3bug use a strategic Web compromise to infect targets. This approach is more indiscriminate, which probably accounts for the more disparate range of targets. In the FireEye blog, we documented a recent th3bug strategic Web compromise. Variant Of Targets PIVY Variant (da931466e4ef41fe7855e33ae4d79daf) da931466e4ef41fe7855e33ae4d79daf Variant Of PIVY Variant (70d227a8c4bf293ab85b79d15b9139ce) 70d227a8c4bf293ab85b79d15b9139ce Variant Of PIVY Variant (418747bc75e1b4db9fbe13981b38db63) 418747bc75e1b4db9fbe13981b38db63 Variant Of PIVY Variant (98256615dada111549761a4c00e9fbd4) 98256615dada111549761a4c00e9fbd4 Variant Of PIVY Variant (766837eae6eaaf24b965634256ca8f72) 766837eae6eaaf24b965634256ca8f72 Variant Of PIVY Variant (b174490ddedb3e21e5c1d6fc2e00d2b4) b174490ddedb3e21e5c1d6fc2e00d2b4 Variant Of PIVY Variant (a3d593e958c1f3ec1adb027168a83ae2) a3d593e958c1f3ec1adb027168a83ae2 Variant Of PIVY Variant (0e86c994f2af7e6689a2964f493c6752) 0e86c994f2af7e6689a2964f493c6752 Variant Of PIVY Variant (55a3b2656ceac2ba6257b6e39f4a5b5a) 55a3b2656ceac2ba6257b6e39f4a5b5a Variant Of PIVY Variant (8002debc47e04d534b45f7bb7dfcab4d) 8002debc47e04d534b45f7bb7dfcab4d Variant Of PIVY Variant (5ba90fa19a14981f9c13a0046807e757) 5ba90fa19a14981f9c13a0046807e757 Variant Of PIVY Variant (0eeaf7bf1d3663cc43b5a545f8863a7a) 0eeaf7bf1d3663cc43b5a545f8863a7a Variant Of PIVY Variant (f6ae04677428c54c80caf84f25488403) f6ae04677428c54c80caf84f25488403 Variant Of PIVY Variant (9535f777553b8f20db9b99f90bdf5a9a) 9535f777553b8f20db9b99f90bdf5a9a Variant Of PIVY Variant (a5a672d5573f01ae3457bb22107be93f) a5a672d5573f01ae3457bb22107be93f Variant Of PIVY Variant (27cd0af60f08b0270e1ec1a50a7ba90a) 27cd0af60f08b0270e1ec1a50a7ba90a Variant Of PIVY Variant (5d7060f4d72b52f73d49a554a59df27a) 5d7060f4d72b52f73d49a554a59df27a Variant Of PIVY Variant (0526c1bcdbedf7c354b059ff33f8c9ca) 0526c1bcdbedf7c354b059ff33f8c9ca Variant Of PIVY Variant (95bcaebe0fb21cfc3b4218e1e1c4033e) 95bcaebe0fb21cfc3b4218e1e1c4033e Variant Of PIVY Variant (f7bb9fe955bf88e02992b86b7ee898e7) f7bb9fe955bf88e02992b86b7ee898e7 Variant Of PIVY Variant (0eb56631aca651cf163b8c02d5d791de) 0eb56631aca651cf163b8c02d5d791de Variant Of PIVY Variant (41af5776bb2717a452510b7f63c54a00) 41af5776bb2717a452510b7f63c54a00 Variant Of Victim Targeting: menupass Spear Phishing Attack Pattern as practiced by menupass menuPass appears to favor spear phishing to deliver payloads to the intended targets. While the attackers behind menuPass have used other RATs in their campaign, it appears that they use PIVY as their primary persistence mechanism. Variant Of Targets PIVY Variant (421b1220970488738b5f578999ecac0e) 421b1220970488738b5f578999ecac0e Variant Of PIVY Variant (410eeaa18dbec01a27c5b41753b3c7ed) 410eeaa18dbec01a27c5b41753b3c7ed Variant Of PIVY Variant (3c341919b04d9b57f1be69cd6f21d2d4) 3c341919b04d9b57f1be69cd6f21d2d4 Variant Of PIVY Variant (45894da9ebcfd132c29acb6411af8af6) 45894da9ebcfd132c29acb6411af8af6 Variant Of PIVY Variant (d5889a7223b9d13b60ab08aafe3344ad) d5889a7223b9d13b60ab08aafe3344ad Variant Of PIVY Variant (c1bcc9513f27c33d24f7ed0fc5700b47) c1bcc9513f27c33d24f7ed0fc5700b47 Variant Of PIVY Variant (1d4e74574bd8fde793d85cbe59f8a288) 1d4e74574bd8fde793d85cbe59f8a288 Variant Of PIVY Variant (3ae7ea7511c0df60997d2c32252758c1) 3ae7ea7511c0df60997d2c32252758c1 Variant Of PIVY Variant (72f9d92c2ee99ad79d956c9d3a1a0989) 72f9d92c2ee99ad79d956c9d3a1a0989 Variant Of PIVY Variant (4e78ae59302bbfe440ec25cc104a7a53) 4e78ae59302bbfe440ec25cc104a7a53 Variant Of PIVY Variant (6bead751a0f6056008d5d200dea0d88b) 6bead751a0f6056008d5d200dea0d88b Variant Of PIVY Variant (494e65cf21ad559fccf3dacdd69acc94) 494e65cf21ad559fccf3dacdd69acc94 Variant Of PIVY Variant (459ee0adaad4d493830e655eb4d686f7) 459ee0adaad4d493830e655eb4d686f7 Variant Of PIVY Variant (46f5de8e9e165d34e622bbf2cf61942b) 46f5de8e9e165d34e622bbf2cf61942b Variant Of PIVY Variant (6d989302166ba1709d66f90066c2fd59) 6d989302166ba1709d66f90066c2fd59 Variant Of PIVY Variant (4ac3e877e1f30d2a1aa9639ac0707307) 4ac3e877e1f30d2a1aa9639ac0707307 Variant Of PIVY Variant (6ff16afc92ce09acd2e3890b780efd86) 6ff16afc92ce09acd2e3890b780efd86 Variant Of PIVY Variant (4ad286a97c82f91df3e07b101a224f5) 4ad286a97c82f91df3e07b101a224f5 Variant Of PIVY Variant (4bc6cab128f623f34bb97194da21d7b6) 4bc6cab128f623f34bb97194da21d7b6 Variant Of PIVY Variant (54dcae2d9d420d6d21d4d605ed798332) 54dcae2d9d420d6d21d4d605ed798332 Variant Of PIVY Variant (19361c808d262d89437bd56072c9a297) 19361c808d262d89437bd56072c9a297 Variant Of PIVY Variant (52a58fc5e8aeb2e87215649f66210ed8) 52a58fc5e8aeb2e87215649f66210ed8 Variant Of PIVY Variant (7aa047cd6dac1d0a4fbc6d968c1b6407) 7aa047cd6dac1d0a4fbc6d968c1b6407 Variant Of PIVY Variant (d9af0e6501c7a375e6276709da4572d8) d9af0e6501c7a375e6276709da4572d8 Variant Of PIVY Variant (a5965b750997dbecec61358d41ac93c7) a5965b750997dbecec61358d41ac93c7 Variant Of PIVY Variant (a4754be7b34ed55faff832edadac61f6) a4754be7b34ed55faff832edadac61f6 Variant Of PIVY Variant (65887898252f7e192709a33be268ea41) 65887898252f7e192709a33be268ea41 Variant Of PIVY Variant (7b6b8c695270845aae457dd26cd647a0) 7b6b8c695270845aae457dd26cd647a0 Variant Of PIVY Variant (7e3c3eec58cbb6c4bcc4d59a549f7678) 7e3c3eec58cbb6c4bcc4d59a549f7678 Variant Of PIVY Variant (85af7819c3cd96895d543570b75b202f) 85af7819c3cd96895d543570b75b202f Variant Of PIVY Variant (54fcf43e6f7641eeacdf1fd12a740c7c) 54fcf43e6f7641eeacdf1fd12a740c7c Variant Of PIVY Variant (4e84b1448cf96fabe88c623b222057c4) 4e84b1448cf96fabe88c623b222057c4 Variant Of PIVY Variant (76b744382cdc455f8b20542de34493d2) 76b744382cdc455f8b20542de34493d2 Variant Of PIVY Variant (5415be1e85fd3b56fe7a6f57ec3cef43) 5415be1e85fd3b56fe7a6f57ec3cef43 Variant Of PIVY Variant (5281dcb76c34b8ae45c3f03f883a08db) 5281dcb76c34b8ae45c3f03f883a08db Variant Of PIVY Variant (82f926009c06dfa452714608da21cb77) 82f926009c06dfa452714608da21cb77 Variant Of PIVY Variant (090a6a5da51aa84413e42b2c00e4521f) 090a6a5da51aa84413e42b2c00e4521f Variant Of PIVY Variant (f39c796e229a65a3ef23c3885471d1df) f39c796e229a65a3ef23c3885471d1df Variant Of PIVY Variant (e84853c0484b02b7518dd683787d04fc) e84853c0484b02b7518dd683787d04fc Variant Of PIVY Variant (9aab46ed60be9f0356f4b6e39191ae5d) 9aab46ed60be9f0356f4b6e39191ae5d Variant Of PIVY Variant (ea5580bc00700eab50b99203e64ec0c5) ea5580bc00700eab50b99203e64ec0c5 Variant Of PIVY Variant (0a265f04b44c1177eaa96817b0b70c0f) 0a265f04b44c1177eaa96817b0b70c0f Variant Of PIVY Variant (55c0b07de69a0cee01101d0d6f66ca3e) 55c0b07de69a0cee01101d0d6f66ca3e Variant Of PIVY Variant (5ac4f52d56009c18e9156ae5ea0d2016) 5ac4f52d56009c18e9156ae5ea0d2016 Variant Of PIVY Variant (0fe91d41d2b361f6a88b51a6ed880d23) 0fe91d41d2b361f6a88b51a6ed880d23 Variant Of PIVY Variant (86328b05ffaf47ae90de61689a3536c4) 86328b05ffaf47ae90de61689a3536c4 Variant Of PIVY Variant (39a59411e7b12236c0b4351168fb47ce) 39a59411e7b12236c0b4351168fb47ce Variant Of PIVY Variant (56cff0d0e0ce486aa0b9e4bc0bf2a141) 56cff0d0e0ce486aa0b9e4bc0bf2a141 Variant Of PIVY Variant (105c80e404324938eae633934ee44ed1) 105c80e404324938eae633934ee44ed1 Variant Of PIVY Variant (8a2205deb22c6ad61f007d52dc220351) 8a2205deb22c6ad61f007d52dc220351 Variant Of PIVY Variant (ed179f1f90765963a0b363bedbe674f6) ed179f1f90765963a0b363bedbe674f6 Variant Of PIVY Variant (018509c1165817d4b0a3e728eab41ea0) 018509c1165817d4b0a3e728eab41ea0 Variant Of PIVY Variant (fc384c3d0bf74258c1b8d05c29afb927) fc384c3d0bf74258c1b8d05c29afb927 Variant Of PIVY Variant (5c00b5d04c31b1b85382ff1eecff6084) 5c00b5d04c31b1b85382ff1eecff6084 Variant Of PIVY Variant (9a014c33f9a9958ffbcf99d2a71d52fe) 9a014c33f9a9958ffbcf99d2a71d52fe Variant Of PIVY Variant (e06cb5f8ed24903ab9f42816cb0c2922) e06cb5f8ed24903ab9f42816cb0c2922 Variant Of PIVY Variant (e3ff26beb4334899014cd941816c3180) e3ff26beb4334899014cd941816c3180 Variant Of PIVY Variant (a5ec5a677346634a42c9f9101ce9d861) a5ec5a677346634a42c9f9101ce9d861 Variant Of PIVY Variant (5b668982bcf868629f1e31bdcda21b05) 5b668982bcf868629f1e31bdcda21b05 Variant Of PIVY Variant (f5315fb4a654087d30c69c768d80f826) f5315fb4a654087d30c69c768d80f826 Variant Of PIVY Variant (fde24cf3e9dc626b3a6f4481f74de699) fde24cf3e9dc626b3a6f4481f74de699 Variant Of PIVY Variant (046f51fb62d01957497a349be2bb555f) 046f51fb62d01957497a349be2bb555f Variant Of PIVY Variant (9e161fad98a678fa957d8cda2a608cb0) 9e161fad98a678fa957d8cda2a608cb0 Variant Of PIVY Variant (8ca16b82d57cf6898a55e9fcdb400769) 8ca16b82d57cf6898a55e9fcdb400769 Variant Of PIVY Variant (5f0bb4d702ed341cf4c3185d4c141110) 5f0bb4d702ed341cf4c3185d4c141110 Variant Of PIVY Variant (08709f35581e0958d1ca4e50b7d86dba) 08709f35581e0958d1ca4e50b7d86dba Variant Of PIVY Variant (8e94701b572fb446c2794cdd3c18ecd9) 8e94701b572fb446c2794cdd3c18ecd9 Variant Of PIVY Variant (5c5401fd7d32f481570511c73083e9a1) 5c5401fd7d32f481570511c73083e9a1 Variant Of PIVY Variant (a144440d16fb69cf4522f789aacb3ef2) a144440d16fb69cf4522f789aacb3ef2 Variant Of PIVY Variant (00beeeef9dfe8ddf5f8d539504777e7e) 00beeeef9dfe8ddf5f8d539504777e7e Variant Of PIVY Variant (d8c00fed6625e5f8d0b8188a5caac115) d8c00fed6625e5f8d0b8188a5caac115 Variant Of PIVY Variant (60963553335fa5877bd5f9be9d8b23a6) 60963553335fa5877bd5f9be9d8b23a6 Variant Of PIVY Variant (b18505ee9e2cecc69035acc912114768) b18505ee9e2cecc69035acc912114768 Variant Of PIVY Variant (625a4f618d14991cd9bd595bdd590570) 625a4f618d14991cd9bd595bdd590570 Variant Of PIVY Variant (18ccf0e2709406c4a0b3635064ca32dc) 18ccf0e2709406c4a0b3635064ca32dc Variant Of PIVY Variant (abf8e40d7c99e9b3f515ec0872fe099e) abf8e40d7c99e9b3f515ec0872fe099e Variant Of PIVY Variant (15d42116acb393ac4d323fb7606c8108) 15d42116acb393ac4d323fb7606c8108 Variant Of PIVY Variant (b1deff736b6d12b8d98b485e20d318ea) b1deff736b6d12b8d98b485e20d318ea Variant Of PIVY Variant (e7a5a551f847c735487acede71f8a9d8) e7a5a551f847c735487acede71f8a9d8 Variant Of PIVY Variant (dad0c02b91f656ffe1d4de3dbf344624) dad0c02b91f656ffe1d4de3dbf344624 Variant Of PIVY Variant (1b851bb23578033c79b8b15313b9c382) 1b851bb23578033c79b8b15313b9c382 Variant Of PIVY Variant (1ccb5a6dfec4261b32eee8d439f821df) 1ccb5a6dfec4261b32eee8d439f821df Variant Of PIVY Variant (6005cbea84d281e03b53be49d1378885) 6005cbea84d281e03b53be49d1378885 Variant Of PIVY Variant (377d8d30172f083b7a0cdff846681f81) 377d8d30172f083b7a0cdff846681f81 Variant Of PIVY Variant (36cc4c909462db0f067b11a5e719a4ee) 36cc4c909462db0f067b11a5e719a4ee Variant Of PIVY Variant (bf553932f6f418250a4dd81c63b3ccee) bf553932f6f418250a4dd81c63b3ccee Variant Of PIVY Variant (cf8094c07c15aa394dddd4eca4aa8c8b) cf8094c07c15aa394dddd4eca4aa8c8b Variant Of PIVY Variant (629049d376058a1f31ab2a36f3c0f234) 629049d376058a1f31ab2a36f3c0f234 Variant Of PIVY Variant (e4242bbcc0aa91c40a50a8305d7a3433) e4242bbcc0aa91c40a50a8305d7a3433 Variant Of PIVY Variant (68fec995a13762184a2616bda86757f8) 68fec995a13762184a2616bda86757f8 Variant Of PIVY Variant (3243a6caaeb7f175330f0fc7f789aced) 3243a6caaeb7f175330f0fc7f789aced Variant Of PIVY Variant (36c6672abdfa7f8c1cf20d27277d7e1a) 36c6672abdfa7f8c1cf20d27277d7e1a Variant Of PIVY Variant (cd6a0b076678165e04f8583d19a9a46f) cd6a0b076678165e04f8583d19a9a46f Variant Of PIVY Variant (1372fae7e279b29eb648d158ae022172) 1372fae7e279b29eb648d158ae022172 Variant Of PIVY Variant (bb7ae118a83f3bed742dbbc50136dc50) bb7ae118a83f3bed742dbbc50136dc50 Variant Of PIVY Variant (6848da04f6c10d2cceae4831351cb291) 6848da04f6c10d2cceae4831351cb291 Variant Of PIVY Variant (aa76e01067c064a8091391759a35ef0a) aa76e01067c064a8091391759a35ef0a Variant Of PIVY Variant (11ea8d8dd0ffde8285f3c0049861a442) 11ea8d8dd0ffde8285f3c0049861a442 Variant Of PIVY Variant (e6ca06e9b000933567a8604300094a85) e6ca06e9b000933567a8604300094a85 Variant Of PIVY Variant (aa7368b928eaaff80e42c0d0637c4a61) aa7368b928eaaff80e42c0d0637c4a61 Variant Of PIVY Variant (e62584c9cd15c3fa2b6ed0f3a34688ab) e62584c9cd15c3fa2b6ed0f3a34688ab Variant Of PIVY Variant (c2f000577585ce59661b21a500eb253e) c2f000577585ce59661b21a500eb253e Variant Of PIVY Variant (d84851ad131424f04fbffc3bbac03bff) d84851ad131424f04fbffc3bbac03bff Variant Of PIVY Variant (223d1396f2b5b7719702c980cbd1d6c0) 223d1396f2b5b7719702c980cbd1d6c0 Variant Of PIVY Variant (c2c7ceb8a428a36b80b9ce1037d209dd) c2c7ceb8a428a36b80b9ce1037d209dd Variant Of PIVY Variant (d6dba8166b7b1da0173a0165d3a3e0bf) d6dba8166b7b1da0173a0165d3a3e0bf Variant Of PIVY Variant (20098465e8fd00f8a0845fff134ed844) 20098465e8fd00f8a0845fff134ed844 Variant Of PIVY Variant (d81dac704850c0ee051b8455510cc0a4) d81dac704850c0ee051b8455510cc0a4 Variant Of PIVY Variant (c84a04eabb91e3dd2388d435527b6906) c84a04eabb91e3dd2388d435527b6906 Variant Of PIVY Variant (31f7e35e7a73a1d89b6269412a935996) 31f7e35e7a73a1d89b6269412a935996 Variant Of PIVY Variant (cab408c59c3450fcc9ddb401eede170f) cab408c59c3450fcc9ddb401eede170f Variant Of PIVY Variant (b5695df9da14b8c9db7e607942d01fac) b5695df9da14b8c9db7e607942d01fac Variant Of PIVY Variant (c3171961e78d3acdb4cd299c643ba482) c3171961e78d3acdb4cd299c643ba482 Variant Of PIVY Variant (2a113b26b0133f67ed900a06a330683d) 2a113b26b0133f67ed900a06a330683d Variant Of PIVY Variant (b2dc98caa647e64a2a8105c298218462) b2dc98caa647e64a2a8105c298218462 Variant Of PIVY Variant (f815281ed4b16169e0b474dbac612bbc) f815281ed4b16169e0b474dbac612bbc Variant Of PIVY Variant (e9622f4b9d2a82c296a773a2c6e63fcb) e9622f4b9d2a82c296a773a2c6e63fcb Variant Of PIVY Variant (b08694e14a9b966d8033b42b58ab727d) b08694e14a9b966d8033b42b58ab727d Variant Of PIVY Variant (1000371d10154fcfd94028ad66285519) 1000371d10154fcfd94028ad66285519 Variant Of PIVY Variant (2173b43a66070aadf052ab66dd6933ce) 2173b43a66070aadf052ab66dd6933ce Variant Of PIVY Variant (2ffe59a6a047b2333a1f3eb58753f3bc) 2ffe59a6a047b2333a1f3eb58753f3bc Variant Of PIVY Variant (441d239744d05b861202e3e25a2af0cd) 441d239744d05b861202e3e25a2af0cd Variant Of PIVY Variant (4ab9bcbec67cafda3a1e4bf6d2d60de9) 4ab9bcbec67cafda3a1e4bf6d2d60de9 Variant Of PIVY Variant (6fbd221f328ced713025ffcf589dba9a) 6fbd221f328ced713025ffcf589dba9a Variant Of PIVY Variant (7d551d1cba1aa7696ab5a787e93b4c83) 7d551d1cba1aa7696ab5a787e93b4c83 Variant Of PIVY Variant (841ec2dec944964fc54786a1167713ff) 841ec2dec944964fc54786a1167713ff Variant Of PIVY Variant (85321dee31100bd3ece5b586ac3e6557) 85321dee31100bd3ece5b586ac3e6557 Variant Of PIVY Variant (9de349e581b66bd410cf7a737d0db1e1) 9de349e581b66bd410cf7a737d0db1e1 Variant Of PIVY Variant (9e2af3377f508c22a3e96e1110ad5f12) 9e2af3377f508c22a3e96e1110ad5f12 Variant Of PIVY Variant (a4d13be7f6b8f66c80731b75d7d5aff8) a4d13be7f6b8f66c80731b75d7d5aff8 Variant Of PIVY Variant (b9ddbb07c4bde0d4f8e6b2065a7d8848) b9ddbb07c4bde0d4f8e6b2065a7d8848 Variant Of PIVY Variant (cab66da82594ff5266ac8dd89e3d1539) cab66da82594ff5266ac8dd89e3d1539 Variant Of PIVY Variant (e5e3fd8a9ee0a5b8e66c11ce1e081067) e5e3fd8a9ee0a5b8e66c11ce1e081067 Variant Of PIVY Variant (f0ee1f777d1c6a009c37cbcbf81f3a5a) f0ee1f777d1c6a009c37cbcbf81f3a5a Variant Of PIVY Variant (f18c7639dbb8644c4bca179243ee2a99) f18c7639dbb8644c4bca179243ee2a99 Variant Of PIVY Variant (4ad286a97c82f91df3e07b101a224f56) 4ad286a97c82f91df3e07b101a224f56 Variant Of PIVY Variant (88fd19e48625e623a4d6abb5d5b78445) 88fd19e48625e623a4d6abb5d5b78445 Variant Of PIVY Variant (d05f81cd8d079b862b2ce7d241ad2209) d05f81cd8d079b862b2ce7d241ad2209 Variant Of Analyze with FireEye Calamine Toolset Calamine is a set of free tools to help organizations detect and examine Poison Ivy infections on their systems. The package includes these components: * PIVY callback-decoding tool (ChopShop module, available here: https://github.com/fireeye/chopshop) * PIVY memory-decoding tool (PIVY PyCommand script, available here: https://github.com/fireeye/pycommands) F Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware admin338 Ongoing Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Targets Uses Attack Pattern japanorus Uses Malware Uses Malware nitro Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware th3bug Ongoing Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Targets Uses Attack Pattern wl Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware menupass Ongoing Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Targets Uses Attack Pattern F Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware admin338 APT Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Targets Uses Attack Pattern japanorus Uses Malware Uses Malware nitro Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware th3bug APT Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Targets Uses Attack Pattern wl Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware menupass APT Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Uses Malware Targets Uses Attack Pattern