**B** **J** **y** **a** **s** **o** **0o** **n** **4n** **/** **J.** **2** **o** **6** **n** **/** **e** **2** **s** **0** **1** **6** **P** **o** **sa** **td** **ev** **[da](https://www.arbornetworks.com/blog/asert/category/advanced-persistent-threats/)** **n** **i** **c** **n** **e** **,** **B** **d** **[a](https://www.arbornetworks.com/blog/asert/category/malware/backdoors/)** **c** **p,** **Mk** **e** **ad** **r** **.** **l** **os** **w** **oi** **a** **rs** **r** **st** **e** **e** **n** **The infamous Remote Access Trojan (RAT) Poison Ivy (hereafter referred to as PIVY) has** **resurfaced recently, and exhibits some new behaviors. PIVY has been observed targeting a** **number of Asian countries for various purposes over the past year. Palo Alto Networks’ Unit** **[42 recently blogged about a new Poison Ivy variant targeting Hong Kong activists dubbed](http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/)** **SPIVY that uses DLL sideloading and operates quite differently from a variant recently** **observed by ASERT that has been active for at least the past 12 months.** # T e c h n i c a l D e t a i l s **The PIVY variant that ASERT has observed has exhibited some newer behavior that we have** **not seen discussed previously. The samples drop a decoy doc – usually hinting clearly at the** **target, a DLL named ActiveUpdate.dll and the PIVY shellcode file as Active.dat. The�** **ActiveUpdate.dll and Active.dat files are created in a directory that follows the format�** **_ActiveUpdate_ [0-9]{3}. The executable copies rundll32.exe to ActiveFlash.exe and then_** **executes the new file with the path to the DLL and installs itself for automatic startup via a .lnk�** **in the Windows Startup folder. ESET identified these samples as “�Win32/Korplug.I[F-I]** **_variant“, possibly due to the appearance of the malware using DLL sideloading with rundll32_** **to load the dropped DLL and perform its malicious actions. This deployment tactic dates well** **into last year (and possibly before) using different executable names for the rundll32 copy and** **the base directory name, however this post will only cover a subset of the variant using** **“ActiveUpdate”.** ----- **Illustration of execution process of one PIVY Sample** **The compile times on these binaries also closely correlate to the times they were first�** **observed in-the-wild and some samples contained timestamp-like entities in the various** **campaign IDs fields in the malware configuration.�** **The decrypted configuration appears to be slightly modified in such a way as to confuse�** **some publicly available tools that parse the configuration data. The campaign ID is not fully�** **null-padded – there is now one null-byte and a string of repeating “x” characters that will** **cause confusion for some scripts. Additionally, the C2s are no longer null-padded – each** **hostname ends with a null-byte that is then followed by a string that will look something like** **“0.1127.0.0.1127.0.0.100000”. This string will change slightly with each Command & Control** **(C2) server – the portions that start with “1” will change to 2 for the second C2, 3 for the third,** **etc. These values end up being present elsewhere in memory without the extra items and only** **small tweaks are needed to fix the parsing.�** **The hostname webserver.servehttp[.]com is observed in a number of PIVY samples, some** **of which are covered in this post. Additionally, the IP resolved to by this hostname** **overlapped with fileshare.serveftp[.]com� which was used in an earlier and** **seemingly unrelated PIVY sample.** # D e c o y D o c u m e n t a n **A number of PIVY samples were observed to be targeting Myanmar and several other** **countries in Asia. While the exact targets and delivery methods are not known to ASERT at** **this time, the documents and submission sources provide strong hints as to the motivations** **and potential targets of these exploitation campaigns. The sample described in the previous** **section – a7d206791b1cdec616e9b18ae6fa1548ca96a321 – was observed to be targeting** ----- **released on November 25, 2015 and it was first seen late evening in the US on November 24,�** **2015 which would equate to November 25 in Myanmar. The document was dropped as “STEP** **_Democracy Year 1 Acheivements_25112015.docx” and was also dropped by SHA1_** **724166261e9c2e7718be22b347671944a1e7fded with the name** **“Year1achievementsv2.docx“, but that sample uses a different communications password** **over the same set of C2s. The documents may be drafts of a final report released in�** **December by the International Institute for Democracy and Electoral Assistance (IDEA), a** **part of the STEP Democracy initiative. The IDEA is “part of the European Union-funded** **project Support to Electoral Processes and Democracy (STEP Democracy)” whose goal is to** **support democracy worldwide. The IDEA has been working with Myanmar before and after** **their recent election to ensure “peaceful, transparent and credible elections.” Part of this work** **includes publishing reports and drafts such as those referenced above. In this case, the bait** **file document metadata contains a company name of “IDEA” with an author of “Sophia” –�** **possibly referencing a current member of the organization and a last edited date of November** **20, 2015. The content of the document details a debate around the democratic elections in** **Myanmar. This timeline would put the targeting past the elections that occurred in early** **November, but appears to still be focused on individuals interested in democracy inside of** **Myanmar. The targeting of the post-election Myanmar appears to be following the same style** **[as what was mentioned in the “Uncovering the Seven Pointed Dagger” paper by ASERT. In](https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf)** **this case however it appears that threat actors began using references to the STEP** **organization to continue their likely spearphish tactic by leveraging content relevant to post-** **election Myanmar. A possible connection exists given that the C2 for these samples –** **jackhex.md5c[.]com – resolved to an IP contained within 103.240.203.0/22 as did a 9002** **RAT sample in the Seven Pointed Dagger exploitation campaign. A “LURK0” Gh0strat and** **another PIVY domain were also observed to have resolved to IPs contained within this range,** **making this subnet more suspicious from a targeted attack perspective.** **Dropped document referencing Myanmar’s democratic process** **A number of documents that appear to be economically focused were also observed recently** **and one of these samples also references Myanmar. This sample used a campaign ID of** **“mm20160405” and dropped a document named “Chairman’s Report of the 19th ASEAN** ----- **_Taw, Myanmar.doc that references an Association of Southeast Asian Nations (ASEAN)_** **meeting that took place in Myanmar in September of 2015. The timing of this sample is quite** **different from the earlier sample and seems to suggest at least a followup campaign due to** **the malware compilation timestamp of March 28, 2016, combined with an apparent timestamp** **value in the campaign ID of April 5, 2016 and the fact that the binary was first observed in the�** **wild on April 11, 2016. The mutex specified in the configuration – �20150120 – is the same** **mutex used in the earlier sample that dropped a document referencing the STEP program, but** **this mutex is also used in many other PIVY samples that use the “ActiveUpdate” directory** **structure and is likely not useful for identifying the campaign or a relationship between** **samples outside of possibly sharing a similar version. The C2 used in this sample –** **admin.nslookupdns[.]com – resolved to an IP contained in the subnet 118.193.218.0/24.** **Similar to the previous sample discussed, ASERT has observed an overlap between many** **other malware families including Nitol, Gh0strat, and another PIVY sample that** **uses “ActiveUpdate“. This sample’s C2 domain is news.tibetgroupworks[.]com which** **provides an obvious suggestion at targeting dynamics, however no decoy documents were** **dropped and no further information was discovered to help support the targeting hypothesis.** **Dropped document referencing ASEAN meeting in Myanmar** **Continuing on with the theme of campaigns targeting ASEAN, sample** **31756ccdbfe05d0a510d2dcf207fdef5287de285 drops a decoy document named “Robertus** **_Subono-REGISTRATION_FORM_ASEAN_CMCoord2016.docx” that references an ASEAN_** **Humanitarian Civil Military Coordination meeting that took place in Bangkok between March** ----- **sample has a compilation date of March 10, 2016, was first observed by ASERT on March 20,�** **2016 and also contains an invalid digital signature claiming to be signed by Google. Coupling** **the campaign ID of “modth” with the purpose and location of the meeting and the email** **address this form is supposed to be mailed to, a possible target of this sample could be** **Thailand’s Ministry of Defense. The C2s used by this sample overlap with the prior sample** **that references the ASEAN meeting in Myanmar nearly perfectly – the first C2 uses port 80,�** **whereas the prior sample used 81 and they both use the same mutex and password. This** **overlap suggests a possible ongoing targeting towards ASEAN members and meetings that** **they hold.** **Decoy document dropped by 31756ccdbfe05d0a510d2dcf207fdef5287de285 referencing** **an ASEAN meeting in Thailand** **The decoy document “2016.02.29-03.04 -ASEM Weekly.docx” dropped by** **ec646c57f9ac5e56230a17aeca6523a4532ff472 was also interesting in that it was not in** **English like the other two observed documents – Google Translate identifies the language in�** **the document as Mongolian.** ----- **Decoy document references an Asia-Europe Meeting (ASEM) dropped** **by ec646c57f9ac5e56230a17aeca6523a4532ff472** **The decoy document 1.docx that is dropped by** **f389e1c970b2ca28112a30a8cfef1f3973fa82ea shows as corrupted when executed in** **a sandbox, but manual recovery yielded a document in Korean with a malware campaign ID** **of kk31. The document appears to reference Korean language schools abroad and the** **telephone number present yields an affiliation with the Korean Ministry of Foreign Affairs, but�** **the intended target is unclear at this time.** ----- **Korean language decoy document dropped by** **Sample f389e1c970b2ca28112a30a8cfef1f3973fa82ea dropped a decoy document named** **“Commission on Filipinos Overseas & Dubai.doc“, but this document did not render** **correctly in a malware sandbox or manually. VirusTotal revealed a sample from the Philippines** **which suggests that they, not Dubai / UAE, were the targets. The C2s for this sample** **used webserver.servehttp[.]com, also exhibited by many of the recent samples which** **suggests the same actor may be involved in this campaign activity.** # C o n c l u s i o n **As this post and other recent posts detail, PIVY continues to evolve and be used in a myriad** **of targeted exploitation campaigns – not unlike many other targeted malware families such as** **PlugX or the Dukes. This will certainly not be the last evolution of PIVY, and ASERT continues** **to monitor these threats as they are discovered. I would also like to say thank you to Curt** **Wilson of ASERT for his assistance with research covered in this post.** # I O C S **Configuration elements and additional information for samples discussed in this article.�** **SHA1: a7d206791b1cdec616e9b18ae6fa1548ca96a321** **First Seen: Nov** **24** **2015** ----- **Campaign ID: om** **C2s: jackhex.md5c.net:8080** **jackhex.md5c.net:53** **jackhex.md5c.net:53** **Mutex: 20150120** **Password: 18703983384** **SHA1: 724166261e9c2e7718be22b347671944a1e7fded** **First Seen: Nov. 23, 2015** **Name:Year1achievementsv2.exe** **Decoy Doc: Year1achievementsv2.docx** **Campaign ID: om** **C2s: jackhex.md5c.net:8080** **jackhex.md5c.net:53** **jackhex.md5c.net:53** **Mutex: 20150120** **Password: 15911117665** **SHA1: 675a3247f4c0e1105a41c685f4c2fb606e5b1eac** **First Seen: April 7, 2016** **Name: Commission on Filipinos Overseas & Dubai %E2%80%AEcod.doc** **Decoy Doc: Commission on Filipinos Overseas & Dubai.doc** **Campaign ID: gmkill** **C2s: webserver.servehttp.com:8080** **webserver.servehttp.com:8080** **webserver.servehttp.com:8081** **Mutex: 20150120** **Password: 13813819438** **SHA1: 63e00dbf45961ad11bd1eb55dff9c2771c2916a6** **First Seen: April 11, 2016** **Name: 1.exe** **Decoy Doc: Chairman's Report of the 19th ASEAN Regional Forum Heads of Defence Universitie** **Campaign ID: mm20160405** **Domain Created: December 17, 2015** **C2s: admin.nslookupdns.com:81** **admin.nslookupdns.com:53** **admin.nslookupdns.com:8080** **Mutex: 20150120** **Password: 52100521000** **SHA1: 31756ccdbfe05d0a510d2dcf207fdef5287de285** **First Seen: March 20, 2016** **Name: Unknown** **Decoy Doc: Robertus Subono-REGISTRATION_FORM_ASEAN_CMCoord2016.docx** **Campaign ID: modth** **Domain Created: December 17, 2015** **C2s: admin.nslookupdns.com:80** **admin.nslookupdns.com:53** **admin.nslookupdns.com:8080** **Mutex: 20150120** **Password: 52100521000** **SHA1: ec646c57f9ac5e56230a17aeca6523a4532ff472** ----- **y** **y** **(** **g** **g** **g )** **Campaign ID: wj201603** **Domain Created: January 14, 2016** **C2s: web.microsoftdefence.com:8080** **web.microsoftdefence.com:8080** **web.microsoftdefence.com:80** **Mutex: 20150120** **Password: 80012345678** **SHA1: f389e1c970b2ca28112a30a8cfef1f3973fa82ea** **Name: Unknown** **Decoy Doc: 1.docx (corrupted but recoverable, Korean language)** **First Seen: April 9, 2016** **CampaignID: kk31** **C2s: webserver.servehttp.com:59148** **webserver.servehttp.com:59418** **webserver.servehttp.com:5000** **Mutex: 20160301** **Password: 13177776666** **SHA1: 49e36de6d757ca44c43d5670d497bd8738c1d2a4** **Name: Unknown** **Decoy doc: 1.pdf, references project in Vietnam requesting an email to a Thailand email ad** **First Seen: March 10, 2016** **C2s: webserver.servehttp.com:59148** **webserver.servehttp.com:59418** **webserver.servehttp.com:1024** **Mutex: 20160219** **Campaign ID: mt39** **Discovered during investigation, but do not drop decoy docs, exhibited similar configurati** **SHA1: ef2618d58bd50fa232a19f9bcf3983d1e2dff266** **Name: 2.tmp** **Decoy Doc: None** **First Seen: June 3, 2015** **Domain Created: May 29, 2015** **C2s: news.tibetgroupworks.com:80** **news.tibetgroupworks.com:80** **news.tibetgroupworks.com:80** **Campaign ID: 213** **Mutex: 2015012** ## SHA1 Hashes **63e00dbf45961ad11bd1eb55dff9c2771c2916a6** **675a3247f4c0e1105a41c685f4c2fb606e5b1eac** **49e36de6d757ca44c43d5670d497bd8738c1d2a4** **cbbfc3b5ff08de14fdb2316f3b14886dfe5504ef** **a7d206791b1cdec616e9b18ae6fa1548ca96a321** **ec646c57f9ac5e56230a17aeca6523a4532ff472** ----- **f389e1c970b2ca28112a30a8cfef1f3973fa82ea** ## Unique C2 Hostnames **news.tibetgroupworks.com** **web.microsoftdefence.com** **admin.nslookupdns.com** **jackhex.md5c.net** **webserver.servehttp.com** #### SUBSCRIBE TO THIS BLOG **First Name** **Last Name** **Company** **Email** **Arbor’s Security Engineering & Response Team (ASERT) delivers world-class network** **security research and analysis for the benefit of today’s enterprise and network operators.�** **ASERT engineers and researchers are part of an elite group of institutions that are** **referred to as ‘super remediators’ and represent the best in information security. ASERT** **has both visibility and remediation capabilities at nearly every tier one operator and a** **majority of service provider networks globally.** **ASERT shares operationally viable intelligence with hundreds of international Computer** **Emergency Response Teams (CERTs) and with thousands of network operators via in-** **band security content feeds. ASERT also operates the world’s largest distributed** **honeynet, actively monitoring Internet threats around the clock and around the globe via** ----- **[CORPORATE SITE](https://www.arbornetworks.com)** **[PRIVACY POLICY](https://www.arbornetworks.com/privacy-policy/)** **[THREAT PORTAL](https://www.arbornetworks.com/threats/)** **[LEGAL](https://www.arbornetworks.com/legal-notice/)** **[ATLAS PORTAL](http://atlas.arbor.net)** **© 2016 Arbor Networks, Inc. All rights reserved.** -----