Malware: PoisonIvy

Description

[PoisonIvy](https://attack.mitre.org/software/S0012) is a popular remote access tool (RAT) that has been used by many groups.(Citation: FireEye Poison Ivy)(Citation: Symantec Elderwood Sept 2012)(Citation: Symantec Darkmoon Aug 2005)

External References

• mitre-attack
• FireEye Poison Ivy
• Symantec Darkmoon Aug 2005
• Novetta-Axiom
• Symantec Elderwood Sept 2012
• Symantec Darkmoon Sept 2014

Techniques Used by This Malware

• T1005 — Data from Local System
• T1010 — Application Window Discovery
• T1014 — Rootkit
• T1027 — Obfuscated Files or Information
• T1055.001 — Dynamic-link Library Injection
• T1056.001 — Keylogging
• T1059.003 — Windows Command Shell
• T1074.001 — Local Data Staging
• T1105 — Ingress Tool Transfer
• T1112 — Modify Registry
• T1480.002 — Mutual Exclusion
• T1543.003 — Windows Service
• T1547.001 — Registry Run Keys / Startup Folder
• T1547.014 — Active Setup
• T1573.001 — Symmetric Cryptography

APT Groups Using This Malware

• Elderwood
• admin@338
• APT5
• Mustang Panda
• menuPass
• Tropic Trooper
• Molerats
• GALLIUM
• Axiom
• APT1
• PittyTiger
• IndigoZebra
• Moafee
• DragonOK