SYMBOLCOMMON_NAMEaka. SYNONYMS
win.poison_ivy (Back to overview)

Poison Ivy

aka: SPIVY, pivy, poisonivy

Actor(s): GALLIUM, Molerats, Mustang Panda, Nightshade Panda, Pirate Panda, Stone Panda, TA428, Temper Panda

VTCollection    

There is no description at this point.

References
2022-11-30FFRI SecurityMatsumoto
Evolution of the PlugX loader
PlugX Poison Ivy
2022-08-22FortinetFred Gutierrez, Shunichi Imano
A Tale of PivNoxy and Chinoxy Puppeteer
Chinoxy Poison Ivy
2022-07-31BushidoToken BlogBushidoToken
Space Invaders: Cyber Threats That Are Out Of This World
Poison Ivy Raindrop SUNBURST TEARDROP WastedLocker
2022-07-18Palo Alto Networks Unit 42Unit 42
Crawling Taurus
Poison Ivy APT20
2022-07-18Palo Alto Networks Unit 42Unit 42
Shallow Taurus
FormerFirstRAT IsSpace NewCT PlugX Poison Ivy Tidepool DragonOK
2022-05-17Positive TechnologiesPositive Technologies
Space Pirates: analyzing the tools and connections of a new hacker group
FormerFirstRAT PlugX Poison Ivy Rovnix ShadowPad Zupdax
2022-05-16JPCERT/CCShusei Tomonaga
Analysis of HUI Loader
HUI Loader PlugX Poison Ivy Quasar RAT
2021-06-16Recorded FutureInsikt Group®
Threat Activity Group RedFoxtrot Linked to China’s PLA Unit 69010; Targets Bordering Asian Countries
Icefog PcShare PlugX Poison Ivy QuickHeal DAGGER PANDA
2021-03-17Recorded FutureInsikt Group®
China-linked TA428 Continues to Target Russia and Mongolia IT Companies
PlugX Poison Ivy TA428
2021-02-01ESET ResearchIgnacio Sanmillan, Matthieu Faou
Operation NightScout: Supply‑chain attack targets online gaming in Asia
Ghost RAT NoxPlayer Poison Ivy Red Dev 17
2021-01-15SwisscomMarkus Neis
Cracking a Soft Cell is Harder Than You Think
Ghost RAT MimiKatz PlugX Poison Ivy Trochilus RAT
2021-01-08Youtube (Virus Bulletin)Fumio Ozawa, Rintaro Koike, Shogo Hayashi
Operation LagTime IT: colourful Panda footprint
Cotx RAT nccTrojan Poison Ivy Tmanger TA428
2020-10-30YouTube (Kaspersky Tech)Kris McConkey
Around the world in 80 days 4.2bn packets
Cobalt Strike Derusbi HyperBro Poison Ivy ShadowPad Winnti
2020-10-01US-CERTUS-CERT
Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions
CHINACHOPPER Cobalt Strike Empire Downloader MimiKatz Poison Ivy
2020-09-30NTT SecurityFumio Ozawa, Rintaro Koike, Shogo Hayashi
Operation LagTime IT: colourful Panda footprint (Slides)
Cotx RAT nccTrojan Poison Ivy Tmanger
2020-09-30NTT SecurityFumio Ozawa, Rintaro Koike, Shogo Hayashi
Operation LagTime IT: colourful Panda footprint
Cotx RAT nccTrojan Poison Ivy Tmanger
2020-09-16RiskIQJon Gross
RiskIQ: Adventures in Cookie Land - Part 2
8.t Dropper Chinoxy Poison Ivy
2020-08-28NTTFumio Ozawa, Rintaro Koike, Shogo Hayashi
Operation Lagtime IT: Colourful Panda Footprint
Cotx RAT Poison Ivy TA428
2020-08-19NTT SecurityFumio Ozawa, Rintaro Koike, Shogo Hayashi
Operation LagTime IT: Colorful Panda Footprint
8.t Dropper Cotx RAT Poison Ivy TA428
2020-03-12Check PointCheck Point Research
Vicious Panda: The COVID Campaign
8.t Dropper BYEBY Enfal Korlia Poison Ivy
2020-03-02Virus BulletinAlex Hinchliffe
Pulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation-state adversary
HenBox Farseer PlugX Poison Ivy
2020-01-29nao_sec blognao_sec
An Overhead View of the Royal Road
BLACKCOFFEE Cotx RAT Datper DDKONG Derusbi Icefog Korlia NewCore RAT PLAINTEE Poison Ivy Sisfader
2020-01-09Lab52Jagaimo Kawaii
TA428 Group abusing recent conflict between Iran and USA
Poison Ivy
2020-01-01SecureworksSecureWorks
BRONZE UNION
9002 RAT CHINACHOPPER Enfal Ghost RAT HttpBrowser HyperBro owaauth PlugX Poison Ivy ZXShell APT27
2020-01-01SecureworksSecureWorks
BRONZE RIVERSIDE
Anel ChChes Cobalt Strike PlugX Poison Ivy Quasar RAT RedLeaves APT10
2020-01-01SecureworksSecureWorks
BRONZE KEYSTONE
9002 RAT BLACKCOFFEE DeputyDog Derusbi HiKit PlugX Poison Ivy ZXShell APT17
2020-01-01SecureworksSecureWorks
BRONZE FIRESTONE
9002 RAT Derusbi Empire Downloader PlugX Poison Ivy APT19
2020-01-01SecureworksSecureWorks
ALUMINUM SARATOGA
BlackShades DarkComet Xtreme RAT Poison Ivy Quasar RAT Molerats
2019-12-12MicrosoftMicrosoft Threat Intelligence Center
GALLIUM: Targeting global telecom
CHINACHOPPER Ghost RAT HTran MimiKatz Poison Ivy GALLIUM
2019-11-19FireEyeKelli Vanderlee, Nalani Fraser
Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell
2019-07-23ProofpointDennis Schwarz, Michael Raggi, Proofpoint Threat Insight Team
Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia
8.t Dropper Cotx RAT Poison Ivy TA428
2019-06-25CybereasonCybereason Nocturnus
OPERATION SOFT CELL: A WORLDWIDE CAMPAIGN AGAINST TELECOMMUNICATIONS PROVIDERS
CHINACHOPPER HTran MimiKatz Poison Ivy Operation Soft Cell
2019-01-01Virus BulletinBowen Pan, Lion Gu
A vine climbing over the Great Firewall: A long-term attack against China
Poison Ivy ZXShell
2018-09-21Qihoo 360 TechnologyQihoo 360
Poison Ivy Group and the Cyberespionage Campaign Against Chinese Military and Goverment
Poison Ivy
2018-05-15BSides DetroitKeven Murphy, Stefano Maccaglia
IR in Heterogeneous Environment
Korlia Poison Ivy
2017-09-15FortinetXiaopeng Zhang
Deep Analysis of New Poison Ivy/PlugX Variant - Part II
Poison Ivy
2017-08-31NCC GroupAhmed Zaki
Analysing a recent Poison Ivy sample
Poison Ivy
2017-08-23FortinetXiaopeng Zhang
Deep Analysis of New Poison Ivy Variant
Poison Ivy
2017-05-31MITREMITRE ATT&CK
PittyTiger
Enfal Ghost RAT MimiKatz Poison Ivy APT24
2016-11-22Palo Alto Networks Unit 42Jen Miller-Osborn, Robert Falcone, Tom Lancaster, Vicky Ray
Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy
Poison Ivy
2016-04-26Github (CyberMonitor)Jason Jones
New Poison Ivy Activity Targeting Myanmar, Asian Countries
Poison Ivy
2016-04-22Palo Alto Networks Unit 42Brandon Levene, Jen Miller-Osborn, Micah Yates, Mike Scott
New Poison Ivy RAT Variant Targets Hong Kong Pro-Democracy Activists
Poison Ivy
2015-02-06CrowdStrikeCrowdStrike
CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor
2014-09-19Palo Alto Networks Unit 42Jen Miller-Osborn, Ryan Olson
Recent Watering Hole Attacks Attributed to APT Group “th3bug” Using Poison Ivy
Poison Ivy
2014-01-01FireEyeFireEye
Operation Quantum Entanglement
IsSpace NewCT Poison Ivy SysGet
2013-10-31FireEyeNed Moran, Thoufique Haq
Know Your Enemy: Tracking A Rapidly Evolving APT Actor
Bozok Poison Ivy TEMPER PANDA
2013-08-23FireEyeNart Villeneuve, Ned Moran, Thoufique Haq
Operation Molerats: Middle East Cyber Attacks Using Poison Ivy
Poison Ivy Molerats
2011-01-01SymantecErica Eng, Gavin O'Gorman
The Nitro Attacks: Stealing Secrets from the Chemical Industry
Poison Ivy Nitro
2010-01-01MandiantEro Carrera, Peter Silberman
State of Malware: Family Ties
Bredolab Conficker Cutwail KoobFace Oderoor Poison Ivy Rustock Sinowal Szribi Zeus
Yara Rules
[TLP:WHITE] win_poison_ivy_auto (20230808 | Detects win.poison_ivy.)
rule win_poison_ivy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.poison_ivy."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.poison_ivy"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff9681000000 80beaf08000001 7507 b902000080 eb05 }
            // n = 5, score = 100
            //   ff9681000000         | call                dword ptr [esi + 0x81]
            //   80beaf08000001       | cmp                 byte ptr [esi + 0x8af], 1
            //   7507                 | jne                 9
            //   b902000080           | mov                 ecx, 0x80000002
            //   eb05                 | jmp                 7

        $sequence_1 = { b902000080 eb05 b901000080 8d45fc }
            // n = 4, score = 100
            //   b902000080           | mov                 ecx, 0x80000002
            //   eb05                 | jmp                 7
            //   b901000080           | mov                 ecx, 0x80000001
            //   8d45fc               | lea                 eax, [ebp - 4]

        $sequence_2 = { 51 ff5635 68ff000000 8d86b1060000 }
            // n = 4, score = 100
            //   51                   | push                ecx
            //   ff5635               | call                dword ptr [esi + 0x35]
            //   68ff000000           | push                0xff
            //   8d86b1060000         | lea                 eax, [esi + 0x6b1]

        $sequence_3 = { 50 6a01 6a00 8d86120e0000 50 ff75fc }
            // n = 6, score = 100
            //   50                   | push                eax
            //   6a01                 | push                1
            //   6a00                 | push                0
            //   8d86120e0000         | lea                 eax, [esi + 0xe12]
            //   50                   | push                eax
            //   ff75fc               | push                dword ptr [ebp - 4]

        $sequence_4 = { b901000080 8d45fc 50 683f000f00 6a00 57 51 }
            // n = 7, score = 100
            //   b901000080           | mov                 ecx, 0x80000001
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax
            //   683f000f00           | push                0xf003f
            //   6a00                 | push                0
            //   57                   | push                edi
            //   51                   | push                ecx

        $sequence_5 = { 51 57 ff9681000000 8d45fc }
            // n = 4, score = 100
            //   51                   | push                ecx
            //   57                   | push                edi
            //   ff9681000000         | call                dword ptr [esi + 0x81]
            //   8d45fc               | lea                 eax, [ebp - 4]

        $sequence_6 = { 8d86120e0000 50 ff75fc ff563d ff75fc ff5631 }
            // n = 6, score = 100
            //   8d86120e0000         | lea                 eax, [esi + 0xe12]
            //   50                   | push                eax
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff563d               | call                dword ptr [esi + 0x3d]
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff5631               | call                dword ptr [esi + 0x31]

    condition:
        7 of them and filesize < 204800
}
[TLP:WHITE] win_poison_ivy_w0   (20170517 | No description)
rule win_poison_ivy_w0 {
    meta:
        author = "Matthew Ulm"
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/pivy.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.poison_ivy"
        malpedia_version = "20170517"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""
    strings:
        // presence of pivy in memory
        $a = {00 00 00 00 00 00 00 00 00 00 00 53 74 75 62 50 61 74 68 00} 

    condition: 
        any of them
}
Download all Yara Rules