| ID | X0014 |
| Aliases | None |
| Platforms | Windows |
| Year | 2005 |
| Associated ATT&CK Software | PoisonIvy |
Poison Ivy is a Remote Access Trojan (RAT).
See ATT&CK: Poison Ivy - Techniques Used.
| Name | Use |
|---|---|
| Defense Evasion::Process Injection (E1055) | Code is injected into explorer.exe. [2] |
| Collection::Input Capture (E1056) | Poison Ivy can capture audio and video. [2] |
| Collection::Keylogging (F0002) | Poison Ivy can capture keystrokes. [2] |
| Persistence::Registry Run Keys / Startup Folder (F0012) | To start itself at system boot, Poison Ivy adds registry entries. [4] |
| Execution::Command and Scripting Interpreter (E1059) | After the Poison Ivy server is running on the target machine, the attacker uses a Windows GUI client to control the target computer. [1] |
| Anti-Static Analysis::Executable Code Obfuscation::Stack Strings (B0032.017) | A Poison Ivy variant encrypts all its strings. [3] |
| Command and Control::Ingress Tool Transfer (E1105) | The Poison Ivy implant is run on the target machine. [2] |
| Defense Evasion::Obfuscated Files or Information (E1027) | The malware obfuscates files. [2] |
| Name | Use |
|---|---|
| Impact::Remote Access (B0022) | After the Poison Ivy server is running on the target machine, the attacker uses a Windows GUI client to control the target computer. [1] |
| Cryptography::Encrypt Data::Camellia (C0027.003) | Poison Ivy's custom network protocol over TCP is encrypted using Camellia cipher with a 256-bit key. [2] |
| Process::Create Mutex (C0042) | Poison Ivy has a default process mutex, but it can be altered at build time. [3] |
| Anti-Behavioral Analysis::Debugger Detection::Hardware Breakpoints (B0001.005) | A Poison Ivy variant checks for breakpoints and exits immediately if found. [3] |
| Discovery::Analysis Tool Discovery (B0013) | A Poison Ivy variant runs a thread to check if any analysis tools are running by creating specially named pipes that are created by various analysis tools. If one of the named pipes cannot be created, it means one of the analysis tools is running. [3] |
| Discovery::Analysis Tool Discovery::Known Windows Class Name (B0013.010) | A Poison Ivy variant goes through all the running program windows to check if any Windows class name contains a special string to determine if an analysis tool is running. [3] |
| Process::Check Mutex (C0043) | A Poison Ivy variant checks if the wireshark-is-running{} named mutex object exists. [3] |
| Anti-Behavioral Analysis::Debugger Detection::IsDebuggerPresent (B0001.008) | A Poison Ivy variant uses the IsDebuggerPresent API function call to check if the process is running in a debugger. [3] |
| Communication::Interprocess Communication::Write Pipe (C0003.004) | Poison Ivy writes pipes. [5] |
| File System::Read File (C0051) | Poison Ivy reads files on Windows. [5] |
| File System::Write File (C0052) | Poison Ivy writes files on Windows. [5] |
| Operating System::Registry::Query Registry Value (C0036.006) | Poison Ivy queries or enumerates registry values. [5] |
SHA256 Hashes
- 84d90250568f26328394ac2941fe7be266d43b71309caf40eb8863b38a39a506
- 4d43c64d776a52ac5a0831aa879305c0eabb452ac5131e1b381598ad7e83cc77
[1] https://www.cyber.nj.gov/threat-center/threat-profiles/trojan-variants/poison-ivy
[2] https://www.mandiant.com/sites/default/files/2021-09/rpt-poison-ivy.pdf
[3] https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-poison-ivy-variant
[4] https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/poisonivy
[5] capa v4.0, analyzed at MITRE on 10/12/2022