{
	"id": "4c9c220e-ed30-4f9a-a693-8b257bf5746b",
	"created_at": "2026-04-06T00:11:41.726801Z",
	"updated_at": "2026-04-10T03:22:09.350095Z",
	"deleted_at": null,
	"sha1_hash": "6f886a8706a61dd81bf2d549327b6ad405d841d7",
	"title": "Deep Analysis of New Poison Ivy Variant",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3967958,
	"plain_text": "Deep Analysis of New Poison Ivy Variant\r\nBy Xiaopeng Zhang\r\nPublished: 2017-08-23 · Archived: 2026-04-05 14:45:45 UTC\r\nRecently, the FortiGuard Labs research team observed that a new variant of Poison Ivy was being spread through\r\na compromised PowerPoint file. We captured a PowerPoint file named Payment_Advice.ppsx, which is in\r\nOOXML format. Once the victim opens this file using the MS PowerPoint program, the malicious code contained\r\nin the file is executed. It downloads the Poison Ivy malware onto the victim’s computer and then launches it. In\r\nthis blog, I’ll show the details of how this happens, what techniques are used by this malware, as well as what it\r\ndoes to the victim’s computer.\r\nThe PowerPoint Sample\r\nFigure 1 shows a screenshot of when the ppsx file is opened.\r\nFigure 1. Open Payment_Advice.ppsx\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-new-poison-ivy-variant.html\r\nPage 1 of 18\n\nAs you can see, the ppsx file is played automatically. The “ppsx” extension stands for “PowerPoint Show,” which\r\nopens the file in presentation mode. This allows the malicious code to be executed automatically. The warning\r\nmessage box alerts the user that it might run an unsafe external program. Usually, the implied content of the\r\ndocument beguiles the user into pressing the Enable button.\r\nLet’s take a look at the malicious code embedded inside this PowerPoint file.\r\nOOXML file is a zip format file. By decompressing this file we can see the file/folder structure, shown below.\r\nFigure 2. PPSX file structure\r\nGoing into its .\\ppt\\slides\\ subfolder, slide1.xml is the slide automatically shown in Figure 1. The file\r\n“.\\_rels\\slide1.xml.rels” is the relationship file where the resources used in slide1.xml are defined. In slide1.xml, I\r\nfound the xml code: \r\n.\r\nThis means that when the user's mouse hovers over this element, something named “rId2” in slide1.xml.rels file is\r\nexecuted.\r\nFigure 3 shows the relationship between them.\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-new-poison-ivy-variant.html\r\nPage 2 of 18\n\nFigure 3. The code defined in “rId2”\r\nBeing Added into the Startup Group\r\nThe code defined in “rId2” uses an echo command of cmd.exe to output vbs codes into the Thumbs.vbs file in the\r\n“Startup” folder of the Start menu. This allows the Thumbs.vbs file to be executed when the victim’s system starts.\r\nWe’ll take a look at the content of this Thumb.vbs file below.\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-new-poison-ivy-variant.html\r\nPage 3 of 18\n\nFigure 4. Thumb.vbs in the Startup folder and its content\r\nThe Downloaded File\r\nThumbs.vbs downloads a file from hxxp://203.248.116.182/images/Thumbs.bmp and runs it using msiexec.exe.\r\nAs you may know, msiexec.exe is the Microsoft Windows Installer program, which is the default handler of .MSI\r\nfiles. Msiexec.exe can be used to install/uninstall/update software on Windows. The MSI file is an Installer\r\nPackage. It contains a PE file (in a stream) that is executed when it’s loaded by msiexec.exe. This PE file could be\r\nreplaced with malware to bypass any AV software detection. We have also observed that more and more malware\r\nauthors have started using this method to run their malware. The MSI file is in the Microsoft OLE Compound File\r\nformat. In Figure 5 we can see the downloaded Thumbs.bmp file content in the DocFile Viewer.\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-new-poison-ivy-variant.html\r\nPage 4 of 18\n\nFigure 5. The downloaded Thumb.bmp in DocFile viewer\r\nNext, I’m going to extract this PE file from the stream into a file (exported_thumbs). By checking with a PE\r\nanalysis tool, we can see that it’s a 64-bit .Net program. This means that this malware only afftects 64bit\r\nWindows.\r\nAnalyzing the .Net code and Running It\r\nAfter putting this extracted file into dnSpy to be analyzed, we can see the entry function Main(), as shown in\r\nFigure 6.\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-new-poison-ivy-variant.html\r\nPage 5 of 18\n\nFigure 6. Main function\r\nIt then calls the rGHDcvkN.Exec() function in Main(), which contains a huge array. Actually, the data in the array\r\nis the code that is executed as a thread function by a newly-created thread.\r\nFigure 7 clearly shows how the code in the array is executed.\r\nFigure 7. .Net program runs a thread to execute the code in a huge array\r\nIf the code is run on a 64-bit platform, IntPtr.Size is 8. So the huge array is passed to array3. It then allocates\r\nmemory buffer by calling rGHDcvkN.VirtualAlloc() and copies the code from array3 into the new memory by\r\ncalling Marshal.Copy(). It eventually calls rGHDcvkN.CreateThread() to run the code up.\r\nI started the .Net program in the debugger, and set a breakpoint on CreateThread API to see what the array code\r\nwould do when it’s hit. Per my analysis of the array code, it is a kind of loader. Its main purpose is to dynamically\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-new-poison-ivy-variant.html\r\nPage 6 of 18\n\nload the main part of the malware code from the memory space into a newly-allocated memory buffer. It then\r\nrepairs any relocation issues according to the new base address and repairs APIs’ offset for the main part code.\r\nFinally, the main code’s entry function is called.\r\nAnti-Analysis Techniques\r\n1. All APIs are hidden. They are restored when being called. The snippet below is the hidden\r\nCreateRemoteThread call.\r\nsub_1B0E6122 proc near\r\n mov rax, 0FFFFFFFF88E23B10h\r\n neg rax\r\n jmp rax ;; CreateRemoteThread\r\nsub_1B0E6122 endp\r\n2. All strings are encrypted. They are decrypted before using. For example, this is the encrypted “ntdll”\r\nstring.\r\nunk_1AFD538C db 54h, 0B2h, 9Bh, 0F1h, 47h, 0Ch ; ==\u003e \"ntdll\"\r\n3. It runs a thread (I named it ThreadFun6) to check if the API has been set as a breakpoint. If yes, it calls\r\nTerminateProcess in another thread to exit the process immediately. The thread function checks all APIs in\r\nthe following modules: “ntdll”, “kernel32”, “kernelbase” and “user32”. In Figure 8, you can see how this\r\nworks:\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-new-poison-ivy-variant.html\r\nPage 7 of 18\n\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-new-poison-ivy-variant.html\r\nPage 8 of 18\n\nFigure 8. Checking for breakpoints on exported APIs in “ntdll”\r\n4. It runs a thread to check if any analysis tools are running. It does this by creating specially named pipes\r\nthat are created by some analysis tools. For example, “\\\\.\\Regmon” for registry monitor tool RegMon;\r\n“\\\\.\\FileMon” for local file monitor tool FileMon; “\\\\.\\NTICE” for SoftIce, so on.\r\nIf one of the named pipes cannot be created, it means one of the analysis tools is running. It then exits process\r\nsoon thereafter.\r\n5. It then goes through all the running program windows to check if any windows class name contains a\r\nspecial string to determine if an analysis tool is running. For example, “WinDbgFrameClass” is Windbg\r\nmain window’s class name. This check runs in a thread as well (I named it as Threadfun3). Below, Figure 9\r\nshows how this thread function works.\r\nFigure 9. Check Windows’ Class Name\r\n6. By checking to see if the “Wireshark-is-running-{…}” named mutex object exists (by calling OpenMutex),\r\nit could implement anti-WireShark.\r\n7. By calling the API “IsDebuggerPresent”, it can check to see ] if this process is running in a debugger\r\n(returns with 1). It’s a kind of anti-debugging check. It also checks how much time is spent by calling\r\nIsDebuggerPresent. If the time is more than 1000ms, it means that the process runs in a debugger or VM,\r\nand it then exits the process.\r\nThese are all the ways that this malware performs anti-analysis. Most of these checks run in their own threads, and\r\nare called every second. It then exits the process if any check is matched.\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-new-poison-ivy-variant.html\r\nPage 9 of 18\n\nTo continue the analysis of this malware, we have to first skip these checks. We can dynamically modify its code\r\nto do so. For example, changing “IsDebuggerPresent”’s return value as 0 allows us to bypass the running-in-debugger detection.\r\nGenerating A Magic String from a Decrypted String\r\nBy decrypting three strings and putting them together, we get the magic string \"Poison Ivy C++\", which will be\r\nsaved in a global variable qword_1B0E4A10. From the code snippet below you can see how it makes this string.\r\nFigure 10. Generating the magic string\r\nHiding Key-functions in Six Different Modules\r\nIt next loads several modules from its encrypted data. It creates a doubly-linked list, which is used to save and\r\nmanage these loaded modules. There are many export functions from each of these modules that achieve the\r\nmalware’s main work. In this way, it’s also a challenge for dynamic debugging. The variable qword_1AFE45D0\r\nsaves the header of that doubly-linked list. Each object in the list has the structure below:\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-new-poison-ivy-variant.html\r\nPage 10 of 18\n\n+00H pointer to previous object in the list\r\n+08H pointer to next object in the list\r\n+18H for Critical Section object use\r\n+28H the base address of the module this object is related to\r\n+30H pointer to export function table\r\nIt then decrypts and decompresses six modules one by one, and adds each of them into the doubly-linked list.\r\nFigure 11 shows a code snippet from decrypting these six modules.\r\nFigure 11. Decrypting and decompressing modules\r\nEach module has an Initialization function (like DllMain function for Dll files) that is called once the module is\r\ncompletely decrypted and decompressed. Three of these modules have an anti-analysis ability similar to the one I\r\ndescribed in the Anti-Analysis section above. So to continue the analysis of this malware, I needed to modify their\r\ncodes to bypass their detection function.\r\nAfter that it calls the export functions of those modules. It decrypts the configuration data from the buffer at\r\nunk_1AFE3DA0. This configuration data is decrypted many times during the process running, and it tells the\r\nmalware how to work. I’ll talk more about the configuration data in a later section.\r\nThe malware then picks a string from the configuration data, which is “%windir%\\system32\\svchost.exe”. It later\r\ncalls CreatProcess to run svchost.exe, and then injects some code and data from malware memory into the newly-created svchost.exe. It finally calls the injected code and exits its current process. The malware’s further work is\r\nnow done in the svchost.exe side.\r\nStarting over in SVCHOST.exe\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-new-poison-ivy-variant.html\r\nPage 11 of 18\n\nThrough my analysis I could see that the injected codes and data represent the entire malware. It all starts over\r\nagain in the svchost.exe process. Everything I have reviewed about is repeated in svchost.exe. For example,\r\nexecuting the anti-analysis detection code, getting the magic string, creating a doubly-linked list, decrypting six\r\nmodules and adding them into the doubly-linked list, and so on.\r\nIt then goes to different code branch when executing the instruction 01736C2 cmp dword ptr [rdi+0Ch], 1 in\r\nmodule2. [rdi+0ch] is a flag that was passed when the entire code was initialized. When the flag is 0, it takes the\r\ncode branch to run svchost.exe and inject code in it; when it’s 1, it takes the code branch to connect to the C\u0026C\r\nserver. Before the injected code in svchost.exe is executed, the flag is set to 1. Figure 12 shows the code branches.\r\nFigure 12. Snippet of code branches\r\nObtaining the C\u0026C Server from PasteBin\r\nThe C\u0026C server’s IP addresses and ports are encrypted and saved on the PasteBin website. PasteBin is a text code\r\nsharing website. A registered user can paste text code on it in order to share the text content to everyone. The\r\nmalware author created 4 such pages, and put the C\u0026C server IP addresses and ports there. Do you remember\r\nwhen I talked previously about encrypted configuration data? It contains the 4 PasteBin URLs. They are\r\nhxxps://pastebin.com/Xhpmhhuy\r\nhxxps://pastebin.com/m3TPwxQs\r\nhxxps://pastebin.com/D8A2azM8\r\nhxxps://pastebin.com/KQAxvdvJ\r\nFigure 13 shows the decrypted configuration data.\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-new-poison-ivy-variant.html\r\nPage 12 of 18\n\nFigure 13. Decrypted configuration data\r\nIf you access any one of these URLs, you will find there are normal Python codes on it. The encrypted server IP\r\naddress and port are hidden in the normal python code. Let’s take a look.\r\nWhile looking at the main function you will find the code below:\r\nwin32serviceutil.HandleCommandLine({65YbRI+gEtvlZpo0qw6CrNdWDoev}), the data between “{“ and “}”, is\r\nthe encrypted IP address and port. See Figure 14 for more information.\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-new-poison-ivy-variant.html\r\nPage 13 of 18\n\nFigure 14. Encrypted C\u0026C IP address and Port on PasteBin\r\nLet’s see what we can see after decryption in Figure 15.\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-new-poison-ivy-variant.html\r\nPage 14 of 18\n\nFigure 15. Decrypted IP address and Port\r\nFrom Figure 15, we can determine that the decrypted C\u0026C server IP address is 172.104.100.53 and the Port is\r\n1BBH i.e. 443. It should be noted that the IP addresses and Ports on the four pages are not the same. The author of\r\nthis malware can update these IP addresses and Ports by simply updating the python codes on the four PasteBin\r\npages.\r\nCommunicating with the C\u0026C server\r\nThe malware starts connecting and sending data to its C\u0026C server once it gets the IP address and Port. All the\r\npackets traveling between the malware and its server are encrypted using a private algorithm. The structure of the\r\npacket is like this: (the first 14H bytes is the header part, from 14H on is the data part)\r\n+00 4 bytes are a key for encryption or decryption.\r\n+04 4 byte, are the packet command.\r\n+0c 4 bytes is the length in bytes of the data portion of the packet.\r\n+14 4 bytes. From this point on is the real data.\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-new-poison-ivy-variant.html\r\nPage 15 of 18\n\nOnce the malware has connected to the server, it first sends a “30001” command, and the server replies with\r\ncommand “30003”. The command “30003” requests the client to collect the victim’s system information. Once the\r\nmalware receives this command, it calls tons of APIs to collect the system information.\r\nIt gathers the system's current usage of both physical and virtual memory by calling\r\nGlobalmemoryStatusEx.\r\nIt gets the CPU speed from the system registry from\r\n“HKLM\\HARDWARE\\DESCRIPTION\\SYSTEM\\CENTRALPROCESSOR\\0\\~MHz\".\r\nIt gets the free disk space of all partitions by calling GetDiskFreeSpaceExA.\r\nIt gets the CPU architecture by calling GetNativeSysstemInfo.\r\nIt collects display settings by calling EnumDisplaySetting.\r\nIt collects file information from kernel32.dll.\r\nIt gets the current computer name and user name by calling GetComputerName and GetUserName.\r\nIt also gets the System time by calling GetSystemTime, and the system version by calling GetVersionEx.\r\nFinally, it copies the svchost.exe’s full path and a constant string, “PasteBin83”, which is from the\r\ndecrypted configuration data (see Figure 13 again).\r\nIn Figure 16 you can see the collected system information before encryption. Figure 17 shows the data after\r\nencryption as it’s about to be sent to the C\u0026C server. The first four bytes are used to encrypt or decrypt the\r\nfollowing data.\r\nFigure 16. Collected information from the victim’s system\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-new-poison-ivy-variant.html\r\nPage 16 of 18\n\nFigure 17. Encrypted system information from victim’s system\r\nFrom my analysis during the malware runtime, I could determine that the malware keeps obtaining the C\u0026C\r\nserver’s IP address from PasteBin and communicating with the C\u0026C server in an infinite loop (by calling\r\nSleep(1000) to suspend the execution).\r\nSo far, I only saw that the commands “030001” and “030003” are used. I’ll continue to monitor and analyze the\r\nmalware’s behavior to see what else it will do.\r\nSolution\r\nThe FortiGuard Antivirus service has detected the files \"Payment_Advice.ppsx\" as\r\nMSOFFICE/PoisonIvy.A!tr.dldr and \"Thumbs.bmp\" as MSOFFICE/PoisonIvy.A!tr.\r\nIOC\r\nURL:\r\nhxxp://203.248.116.182/images/Thumbs.bmp\r\nSample SHA-256 hashes:\r\nPayment_Advice.ppsx\r\nE7931270A89035125E6E6655C04FEE00798C4C2D15846947E41DF6BBA36C75AE\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-new-poison-ivy-variant.html\r\nPage 17 of 18\n\nThumbs.bmp\r\nA3E8ECF21D2A8046D385160CA7E291390E3C962A7107B06D338C357002D2C2D9\r\nSign up for weekly Fortinet FortiGuard Labs Threat Intelligence Briefs and stay on top of the newest emerging\r\nthreats.\r\nSource: https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-poison-ivy-variant.html\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-new-poison-ivy-variant.html\r\nPage 18 of 18\n\n https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-poison-ivy-variant.html  \nFigure 14. Encrypted C\u0026C IP address and Port on PasteBin\nLet’s see what we can see after decryption in Figure 15.\n   Page 14 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-poison-ivy-variant.html"
	],
	"report_names": [
		"deep-analysis-of-new-poison-ivy-variant.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434301,
	"ts_updated_at": 1775791329,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6f886a8706a61dd81bf2d549327b6ad405d841d7.pdf",
		"text": "https://archive.orkl.eu/6f886a8706a61dd81bf2d549327b6ad405d841d7.txt",
		"img": "https://archive.orkl.eu/6f886a8706a61dd81bf2d549327b6ad405d841d7.jpg"
	}
}