Although Poison Ivy has been around for quite some time now, it keeps adapting and using new attack methods and security backdoors to spread and take over vulnerable operating systems. Last year, we saw that the attackers behind this threat were using firstname.lastname@example.org and email@example.com email addresses to expose regular users to a malicious script. Without a doubt, these email addresses have been disabled since, but the same method could still be used, which is why it is extremely important to be cautious about spam emails that are employed in phishing attacks. They are referred to as FreeHosting APT PowerSploit Poison Ivy attacks, and it seems that they are targeted at larger companies or even governments.
In 2017, a spear-phishing attack that carried FreeHosting APT PowerSploit Poison Ivy was found to be targeted at the Mongolian government. This is the kind of attack that we are discussing in this report too. Obviously, it is delivered via email, and cyber attackers are smart enough to create emails that the recipients are more likely to open. For example, emails sent from firstname.lastname@example.org were, quite possibly, sent to healthcare institutions, considering the name. If that were the case, it is highly likely that the subject lines were both misleading and personalized. Cyber attackers know that they are much more likely to succeed if they address their targets appropriately. A subject line of a misleading spam email could look something like this “attention required,” “confirm your attendance,” “important information.” Of course, it is not enough for the user to open an email to unleash FreeHosting APT PowerSploit Poison Ivy.
In the past, FreeHosting APT PowerSploit Poison Ivy was delivered via a malicious link sent via spam email. The advanced persistent threat (APT) was hosted on a free-hosting service provider, geocities.jp. If the target clicked the link, they executed VBScript that ran this command: powershell.exe -w hidden -ep bypass -Enc "encoded message." The script would download a file and execute it as a .DOC file. One example of such a file was “Meeting_summary.doc,” which, undoubtedly, would attract anyone’s attention. The .DOC file was opened automatically, and then the second PowerShell script was downloaded. Both the VBScript and PowerShell were encoded with Base64. The script created a fictitious process (“userinti.exe”) and injected the Poison Ivy remote access tool into it. Then, a .dat file was created to listen for new connections. FreeHosting APT PowerSploit Poison Ivy would connect to IP 220.127.116.11 C&C server and transmit some information about the operating system.
Poison Ivy has been spreading for years, and it is known that it has the capabilities to log keystrokes, capture video, grab screenshots, transfer files, steal passwords, and do plenty of other malicious things that could hinder anyone’s virtual security. Needless to say, it is the last thing you want on your computer and your network. To prevent FreeHosting APT PowerSploit Poison Ivy from attacking successfully, it is crucial to learn how you, your co-workers, or your employees could identify phishing scams. Here are a few traits that might help you realize that the email you received cannot be trusted.
Hopefully, you can evade FreeHosting APT PowerSploit Poison Ivy attacks, but remember that phishing scams are unlikely to be the only method used. Cyber criminals know their “audience,” and they can adjust their attack methods to guarantee success. Poison Ivy has been active for years, and the attackers behind it have plenty of time to orchestrate successful attacks. So, stay away from emails, secure your system and network with reliable security/anti-malware software, educate yourself, and follow the latest virtual security news. If you stay on top of the game, FreeHosting APT PowerSploit Poison Ivy will not stand a chance.