FireEye has just released a research report on the Poison Ivy Remote Access Tool (RAT). A RAT is a malicious program which gives a remote user unfettered surreptitious access to the infected system. The Poison Ivy RAT is an easy to use remote access tool that provides the attacker with a windows interface. Poison Ivy’s features include key logging, screen capturing, video capturing, file transfers, system administration, password theft, and traffic relaying. Attackers can use these features to move laterally and escalate system privileges. You can watch a RAT in action in our posting Spearphishing – The Movie.
FireEye makes two critical observations about RATs such as Poison Ivy. First, because these RATs are not technology sophisticated, security professionals tend to dismiss them as software toys for “script kiddies” that are not a serious security threat. Government policy makers also make this assumption, as shown in the Defense Science Board Report “Resilient Military Systems and the Advanced Cyber Threat.” Second, the assumption that technically simple RATs are not a serious security threat is WRONG. FireEye notes several very damaging attacks that used Poison Ivy. Among these was the compromise of the RSA SecurID token.
FireEye notes that common RATs include a very troubling feature — encryption. After the RAT is installed, a lot of its dirty work is hidden by encryption. In order to help counter RATs, in addition to releasing this new research, FireEye released a tool — aptly named “Calamine” which can defeat some of the encrypted functions of Poison Ivy. FireEye notes that while Calamine will help, determined attackers can evade Calamine.
In addition to the RAT not being technically sophisticated, the means by which it is introduced also lacks technical sophistication. FireEye tells us that the preferred means of introducing this RAT into a network is ——– spearphishing. The unsophisticated malware is introduced using social engineering, not computer science. It is yet another reminder that, as Dr. Frederick Chang, former NSA Director of Research, warned:
… cybersecurity is fundamentally about an adversarial engagement. Humans must defend machines that are attacked by other humans using machines.
It is important to not be lulled into a false sense of security because an attack method is not technically sophisticated. You need many layers of defense. You need to monitor your systems. And IT needs to help employees avoid the deception practiced by spearphishers. That is where SP Guard comes into play. Using SP Guard, IT can determine a list of trusted senders and provide this information to staff in a simple and highly effective manner.
You can contact us at 408-727-6342,ext 3 or use our online form.