A malicious software tool perhaps most famously used to hack RSA's SecurID infrastructure is still being used in targeted attacks, according to security vendor
Poison Ivy is a remote access Trojan (RAT) that was released eight years ago but is still favored by some hackers,
For its analysis, the company collected 194 samples of Poison Ivy used in attacks dating to 2008, looking at the passwords used by the attackers to access the RATs and the command-and-control servers used.
Three groups, one of which appears to be based in
The group admin388 is believed to have been active as early as
Victims are usually targeted by that group with spear-phishing emails, which contain a malicious Microsoft Word or PDF attachment with the Poison Ivy code. The emails are in English but use a Chinese character set in the email message body.
Poison Ivy's presence may indicate a more discerning interest by an attacker, since it must be controlled manually in real-time.
"RATs are much more personal and may indicate that you are dealing with a dedicated threat actor that is interested in your organization specifically,"
To help organizations detect Poison Ivy,
Stolen information is encrypted by Poison Ivy using the Camellia cipher with a 256-bit key before it is sent to a remote server,
Most Popular Stories
- Twitter Names Woman to Board
- Aspen Contracting Adding 300 Jobs
- Obamacare Doing Just Fine, Ky. Governor Says
- Rand Paul Signs up for Obamacare
- Hispanic Employment Improves in November
- U.S. Chamber to Run Ads in Idaho, W.Va.
- U.S. Unemployment Rate Dips to 7 Percent
- Consumer Spending Rises, Incomes Fall
- American Eagle Issues Weak Q4 Outlook
- NSA Tracks 5 Billion Cellphone Records a Day