🕰️ PoisonIvy: The Classic Remote Control

Malmon Profile

Classification: 🕰️ Legacy APT/Infostealer ⭐⭐
Discovery Credit: Security researchers, 2005
First Documented: 2005
Threat Level: Intermediate (Classic RAT with modern variants)

Malmon Card Reference

LEGACY

PoisonIvy

RAT/Espionage
⭐⭐
PoisonIvy

PoisonIvy is a notorious remote access trojan (RAT) used in cyber espionage since the mid-2000s. It allows attackers to control infected machines remotely—capturing keystrokes, stealing data, and spying via webcam or screen. Lightweight, stealthy, and highly customizable, PoisonIvy has been linked to several high-profile APT operations across the globe.

🔥
Classic Remote Access
Traditional RAT capabilities with file transfer, keylogging, and system control
Long-term Persistence
Designed for extended presence with minimal detection signatures
🔮
Campaign Coordination
Often used in conjunction with other tools in targeted attack campaigns
⬆️
Sophisticated Espionage Operation
Integrates with advanced persistent threat campaigns for intelligence gathering
💎
Behavioral Detection
Network communications and system behavior patterns reveal presence
🔍6
🔒9
📡5
💣7
🥷6
Discovered By:Security Community
Habitat:Corporate networks, government systems
Property Icons:
🔍Detection
🔒Persistence
📡Spread
💣Payload
🥷Evasion

Technical Characteristics

MITRE ATT&CK Mapping

  • Initial Access: T1566.001 (Spearphishing Attachment), T1189 (Drive-by Compromise)
  • Execution: T1204.002 (Malicious File)
  • Persistence: T1547.001 (Registry Run Keys), T1053.005 (Scheduled Task)
  • Privilege Escalation: T1134 (Access Token Manipulation)
  • Defense Evasion: T1055 (Process Injection), T1027 (Obfuscated Files)
  • Credential Access: T1056.001 (Keylogging), T1555 (Credentials from Password Stores)
  • Discovery: T1057 (Process Discovery), T1082 (System Information Discovery)
  • Collection: T1005 (Data from Local System), T1113 (Screen Capture)
  • Command and Control: T1071.001 (Application Layer Protocol)
  • Exfiltration: T1041 (Exfiltration Over C2 Channel)

Core Capabilities

Classic RAT Functionality:

  • Complete remote desktop access and system control
  • Keystroke logging and credential harvesting
  • File system access, upload, and download capabilities
  • +2 bonus to comprehensive system monitoring and data collection

Stealth and Persistence:

  • Process injection and rootkit-like hiding capabilities
  • Registry and file system persistence mechanisms
  • Network communication obfuscation and encryption
  • +2 bonus to long-term undetected presence

Modular Expansion (Hidden Ability):

  • Plugin architecture allowing capability enhancement
  • Can load additional modules for specific target requirements
  • Supports custom tools and exploits for specialized objectives
  • Triggers evolution to advanced persistent threat with custom toolsets

Type Effectiveness Against PoisonIvy

Understanding which security controls work best against classic APT/Infostealer threats like PoisonIvy:

Trojan
Weak to: Detection
Resists: Training
Worm
Weak to: Isolation
Resists: Backup
Ransomware
Weak to: Backup
Resists: Encryption
Rootkit
Weak to: Forensics
Resists: Detection
APT
Weak to: Intelligence
Phishing
Weak to: Training
Botnet
Weak to: Coordination
Infostealer
Weak to: Encryption

Key Strategic Insights for IMs:

  • Most Effective: Behavioral Analysis (detects remote control activities), Network Monitoring (C2 communications), User Activity Monitoring (unusual system access)
  • Moderately Effective: Signature Detection (well-known family), Threat Intelligence (established IOCs), Access Controls (limits privilege escalation)
  • Least Effective: User Education (post-infection focus), Air-gap Controls (already inside network), Physical Security (software-based threat)

Classic RAT Considerations:
This represents traditional remote access trojans - emphasize behavioral detection, network monitoring, and the importance of assuming breach when investigating.

Vulnerabilities

Signature-Based Detection:

  • Well-known malware family with extensive signature coverage
  • Network communication patterns identifiable by modern monitoring
  • -2 penalty against updated antivirus and network detection systems

User Activity Monitoring:

  • Remote control activities create obvious behavioral anomalies
  • File access and system manipulation detectable through endpoint monitoring
  • Vulnerable to user activity analysis and behavioral detection systems

Facilitation Guide

Pre-Session Preparation

Choose PoisonIvy When:

  • Intermediate teams learning about classic remote access threats
  • Credential theft and data exfiltration concepts need demonstration
  • Long-term persistence and stealth should be explored
  • Evolution of threat techniques is a learning objective
  • Detection strategy development for remote access threats

Avoid PoisonIvy When:

  • Novice teams who need simpler, more straightforward threats
  • Advanced teams seeking cutting-edge or sophisticated techniques
  • Short sessions where persistence concepts can’t be fully explored

Session Structure Guidance

Discovery Phase (Round 1) Facilitation

Initial Symptoms to Present:

  • “Users reporting occasional computer slowdowns and unusual network activity”
  • “Passwords and credentials compromised despite no obvious phishing”
  • “Files accessed and modified outside of normal business hours”
  • “Network monitoring detecting encrypted communications to unknown servers”

IM Question Progression:

  1. “What could cause credential theft without obvious phishing or malware?”
  2. “How might someone access files during off-hours without physical presence?”
  3. “What would create encrypted network traffic that bypasses normal monitoring?”
  4. “What persistence mechanisms would allow long-term, undetected access?”

Expected Player Discovery Path:

  • Detective: Analyzes evidence of unauthorized access and credential compromise
  • Protector: Identifies signs of persistent, unauthorized system presence
  • Tracker: Maps encrypted command and control communications
  • Communicator: Investigates user reports of unusual system behavior
  • Crisis Manager: Coordinates investigation of suspected long-term compromise
  • Threat Hunter: Searches for advanced persistence and stealth indicators

Remote Access Discovery: Guide toward: “This appears to be a remote access trojan that’s been operating undetected for an extended period.”

Investigation Phase (Round 2) Facilitation

Long-term Compromise Assessment:

  • “How do you investigate when attackers may have had access for months or years?”
  • “What data and credentials should you assume have been compromised?”
  • “How do you determine the full scope of a long-term persistent threat?”

Stealth Technique Analysis:

  • “What techniques allow malware to remain undetected for extended periods?”
  • “How do you investigate threats that actively hide their presence?”
  • “What indicators reveal long-term compromise despite stealth measures?”

Data and Credential Impact:

  • “What sensitive information might have been accessed during long-term presence?”
  • “How do you assess credential compromise when keylogging was possible?”
  • “What business processes might have been observed or influenced?”

Response Phase (Round 3) Facilitation

Persistent Threat Response:

  • “How do you ensure complete removal of threats designed for long-term persistence?”
  • “What credential and system changes are needed after long-term compromise?”
  • “How do you rebuild trust in systems after extended unauthorized access?”

Detection Enhancement:

  • “What monitoring improvements would detect similar threats earlier?”
  • “How do you balance user privacy with the monitoring needed to detect RATs?”
  • “What combination of technical and procedural controls prevents future long-term compromise?”

Advanced Facilitation Techniques

Historical Context and Evolution

Classic vs. Modern RATs:

  • Help teams understand how remote access threats have evolved
  • Guide discussion of persistent techniques and detection improvements
  • Explore how older threats inform modern security strategies

Threat Landscape Development:

  • Discuss how PoisonIvy represents early sophisticated threats
  • Explore lessons learned from classic RAT families
  • Guide understanding of threat evolution and defensive adaptation

Long-term Compromise Management

Persistence Analysis:

  • Help teams understand sophisticated persistence mechanisms
  • Guide discussion of stealth techniques and detection evasion
  • Explore the challenges of detecting patient, careful attackers

Comprehensive Response Planning:

  • Discuss the complexity of responding to long-term compromise
  • Explore credential management and system trust rebuilding
  • Guide development of comprehensive recovery strategies

Real-World Learning Connections

Remote Access Threat Detection

  • Behavioral analysis and anomaly detection for remote access activities
  • Network monitoring and encrypted communication analysis
  • Endpoint detection and response for persistent threats
  • User activity monitoring and access pattern analysis

Credential Security Management

  • Credential theft detection and response procedures
  • Password and authentication security enhancement
  • Privileged access management and monitoring
  • Multi-factor authentication and access controls

Long-term Compromise Recovery

  • Incident response for extended unauthorized access
  • System and credential trust rebuilding procedures
  • Forensic analysis for long-term compromise assessment
  • Business continuity during comprehensive security rebuilding

Assessment and Learning Objectives

Success Indicators

Team Successfully:

  • Recognizes remote access trojan capabilities and long-term persistence
  • Understands credential theft and data exfiltration implications
  • Develops response strategies for extended compromise scenarios
  • Demonstrates understanding of stealth techniques and detection challenges
  • Addresses comprehensive recovery needs after long-term unauthorized access

Learning Assessment Questions

  • “How does long-term persistence change incident response priorities?”
  • “What detection strategies effectively identify stealthy remote access threats?”
  • “How do you rebuild system and credential trust after extended compromise?”
  • “What monitoring improvements balance security with user privacy concerns?”

Community Contributions and Extensions

Advanced Scenarios

  • APT Campaign Integration: PoisonIvy as part of broader advanced persistent threat
  • Supply Chain Delivery: RAT delivered through compromised software or hardware
  • Insider Coordination: Remote access combined with insider threat activities
  • Critical System Access: RAT targeting industrial control systems or critical infrastructure

Strategic Applications

  • Historical Threat Analysis: Using classic RAT families to understand threat evolution
  • Detection Strategy Development: Building comprehensive monitoring for remote access threats
  • Incident Response Enhancement: Developing procedures for long-term compromise scenarios
  • Security Architecture: Designing systems resistant to persistent remote access threats

PoisonIvy represents the classic remote access threat that has influenced decades of cybersecurity defense development, teaching fundamental lessons about persistence, stealth, and the ongoing challenge of detecting patient, sophisticated attackers who seek long-term access to target systems.