The notorious Poison Ivy remote access tool (RAT) is still successfully used by cybercriminals, according to security researchers from FireEye. The IT security firm has published a detailed report on the RAT family.
Poison Ivy has been utilized in numerous high-profile cyber operations, including the Nitro campaign – which targeted governments, defense companies and human rights groups – and the 2011 attack as a result of which RSA SecurID data was compromised.
The RAT has also been used by state-sponsored actors, including admin@338, th3bug and menuPass.
Experts say it’s difficult to trace back Poison Ivy to a particular attacker because it’s widely utilized. However, FireEye has published a tool package called Calamine which enables security professionals to monitor the RAT’s behavior and communications.
The complete report is available here. The Calamine package can be downloaded from here.