######  MENU # New Poison Ivy Activity Targeting Myanmar, Asian Countries By **[Jason Jones](https://www.arbornetworks.com/blog/asert/author/jasonjones/)** on 04/26/2016. Posted in **[advanced persistent threats](https://www.arbornetworks.com/blog/asert/category/advanced-persistent-threats/)**, **[Backdoors](https://www.arbornetworks.com/blog/asert/category/malware/backdoors/)**, **[Malware](https://www.arbornetworks.com/blog/asert/category/malware/)** . ###### The infamous Remote Access Trojan (RAT) Poison Ivy (hereafter referred to as PIVY) has resurfaced recently, and exhibits some new behaviors. PIVY has been observed targeting a number of Asian countries for various purposes over the past year. Palo Alto Networks’ Unit 42 recently blogged about a new Poison Ivy variant targeting Hong Kong activists dubbed SPIVY that uses DLL sideloading and operates quite di�erently from a variant recently observed by ASERT that has been active for at least the past 12 months. ## Technical Details ###### The PIVY variant that ASERT has observed has exhibited some newer behavior that we have not seen discussed previously. The samples drop a decoy doc – usually hinting clearly at the target, a DLL named ActiveUpdate.dll and the PIVY shellcode �le as Active.dat. The ActiveUpdate.dll and Active.dat �les are created in a directory that follows the format ActiveUpdate_ [0-9]{3}. The executable copies rundll32.exe to ActiveFlash.exe and then executes the new �le with the path to the DLL and installs itself for automatic startup via a .lnk in the Windows Startup folder. ESET identi�ed these samples as “Win32/Korplug.I[F-I] variant“, possibly due to the appearance of the malware using DLL sideloading with rundll32 to load the dropped DLL and perform its malicious actions. This deployment tactic dates well into last year (and possibly before) using di�erent executable names for the rundll32 copy and the base directory name, however this post will only cover a subset of the variant using “ActiveUpdate”. ----- ###### Illustration of execution process of one PIVY Sample The compile times on these binaries also closely correlate to the times they were �rst observed in-the-wild and some samples contained timestamp-like entities in the various campaign IDs �elds in the malware con�guration. The decrypted con�guration appears to be slightly modi�ed in such a way as to confuse some publicly available tools that parse the con�guration data. The campaign ID is not fully null-padded – there is now one null-byte and a string of repeating “x” characters that will cause confusion for some scripts. Additionally, the C2s are no longer null-padded – each hostname ends with a null-byte that is then followed by a string that will look something like “0.1127.0.0.1127.0.0.100000”. This string will change slightly with each Command & Control (C2) server – the portions that start with “1” will change to 2 for the second C2, 3 for the third, etc. These values end up being present elsewhere in memory without the extra items and only small tweaks are needed to �x the parsing. The hostname webserver.servehttp[.]com is observed in a number of PIVY samples, some of which are covered in this post. Additionally, the IP resolved to by this hostname overlapped with �leshare.serveftp[.]com which was used in an earlier and seemingly unrelated PIVY sample. ## Decoy Document and Targeting Information ###### A number of PIVY samples were observed to be targeting Myanmar and several other countries in Asia. While the exact targets and delivery methods are not known to ASERT at this time, the documents and submission sources provide strong hints as to the i i d i l f h l i i i Th l ----- ###### to be referencing a report that was released on November 25, 2015 and it was �rst seen late evening in the US on November 24, 2015 which would equate to November 25 in Myanmar. The document was dropped as “STEP Democracy Year 1 Acheivements_25112015.docx” and was also dropped by SHA1 724166261e9c2e7718be22b347671944a1e7fded with the name “Year1achievementsv2.docx“, but that sample uses a di�erent communications password over the same set of C2s. The documents may be drafts of a �nal report released in December by the International Institute for Democracy and Electoral Assistance (IDEA), a part of the STEP Democracy initiative. The IDEA is “part of the European Union-funded project Support to Electoral Processes and Democracy (STEP Democracy)” whose goal is to support democracy worldwide. The IDEA has been working with Myanmar before and after their recent election to ensure “peaceful, transparent and credible elections.” Part of this work includes publishing reports and drafts such as those referenced above. In this case, the bait �le document metadata contains a company name of “IDEA” with an author of “Sophia” – possibly referencing a current member of the organization and a last edited date of November 20, 2015. The content of the document details a debate around the democratic elections in Myanmar. This timeline would put the targeting past the elections that occurred in early November, but appears to still be focused on individuals interested in democracy inside of Myanmar. The targeting of the post-election Myanmar appears to be following the same style as what was mentioned in the “Uncovering the Seven Pointed Dagger” paper by ASERT. In this case however it appears that threat actors began using references to the STEP organization to continue their likely spearphish tactic by leveraging content relevant to post-election Myanmar. A possible connection exists given that the C2 for these samples – jackhex.md5c[.]com – resolved to an IP contained within 103.240.203.0/22 as did a 9002 RAT sample in the Seven Pointed Dagger exploitation campaign. A “LURK0” Gh0strat and another PIVY domain were also observed to have resolved to IPs contained within this range, making this subnet more suspicious from a targeted attack perspective. ----- ###### campaign ID of “mm20160405” and dropped a document named “Chairman’s Report of the 19th ASEAN Regional Forum Heads of Defence Universities, Colleges, Instiutions Meeting, Nay Pay Taw, Myanmar.doc” that references an Association of Southeast Asian Nations (ASEAN) meeting that took place in Myanmar in September of 2015. The timing of this sample is quite di�erent from the earlier sample and seems to suggest at least a followup campaign due to the malware compilation timestamp of March 28, 2016, combined with an apparent timestamp value in the campaign ID of April 5, 2016 and the fact that the binary was �rst observed in the wild on April 11, 2016. The mutex speci�ed in the con�guration – 20150120 – is the same mutex used in the earlier sample that dropped a document referencing the STEP program, but this mutex is also used in many other PIVY samples that use the “ActiveUpdate” directory structure and is likely not useful for identifying the campaign or a relationship between samples outside of possibly sharing a similar version. The C2 used in this sample – admin.nslookupdns[.]com – resolved to an IP contained in the subnet 118.193.218.0/24. Similar to the previous sample discussed, ASERT has observed an overlap between many other malware families including Nitol, Gh0strat, and another PIVY sample that uses “ActiveUpdate“. This sample’s C2 domain is news.tibetgroupworks[.]com which provides an obvious suggestion at targeting dynamics, however no decoy documents were dropped and no further information was discovered to help support the targeting hypothesis. ----- ###### “Robertus Subono-REGISTRATION_FORM_ASEAN_CMCoord2016.docx” that references an ASEAN Humanitarian Civil Military Coordination meeting that took place in Bangkok between March 28 and April 1 2016. The document purports to be a registration form for an attendee from Indonesia and is supposed to be sent to a Thailand Ministry of Defense email address. The sample has a compilation date of March 10, 2016, was �rst observed by ASERT on March 20, 2016 and also contains an invalid digital signature claiming to be signed by Google. Coupling the campaign ID of “modth” with the purpose and location of the meeting and the email address this form is supposed to be mailed to, a possible target of this sample could be Thailand’s Ministry of Defense. The C2s used by this sample overlap with the prior sample that references the ASEAN meeting in Myanmar nearly perfectly – the �rst C2 uses port 80, whereas the prior sample used 81 and they both use the same mutex and password. This overlap suggests a possible ongoing targeting towards ASEAN members and meetings that they hold. Decoy document dropped by 31756ccdbfe05d0a510d2dcf207fdef5287de285 referencing an ASEAN meeting in Thailand The decoy document “2016.02.29-03.04 -ASEM Weekly.docx” dropped by ec646c57f9ac5e56230a17aeca6523a4532�472 was also interesting in that it was not in English like the other two observed documents – Google Translate identi�es the language in the document as Mongolian. ----- ###### Decoy document references an Asia-Europe Meeting (ASEM) dropped by ec646c57f9ac5e56230a17aeca6523a4532�472 The decoy document 1.docx that is dropped by f389e1c970b2ca28112a30a8cfef1f3973fa82ea shows as corrupted when executed in a sandbox, but manual recovery yielded a document in Korean with a malware campaign ID of kk31. The document appears to reference Korean language schools abroad and the telephone number present yields an a�liation with the Korean Ministry of Foreign A�airs, but the intended target is unclear at this time. ----- ###### Korean language decoy document dropped by Sample f389e1c970b2ca28112a30a8cfef1f3973fa82ea dropped a decoy document named “Commission on Filipinos Overseas & Dubai.doc“, but this document did not render correctly in a malware sandbox or manually. VirusTotal revealed a sample from the Philippines which suggests that they, not Dubai / UAE, were the targets. The C2s for this sample used webserver.servehttp[.]com, also exhibited by many of the recent samples which suggests the same actor may be involved in this campaign activity. ## Conclusion ###### As this post and other recent posts detail, PIVY continues to evolve and be used in a myriad of targeted exploitation campaigns – not unlike many other targeted malware families such as PlugX or the Dukes. This will certainly not be the last evolution of PIVY, and ASERT continues to monitor these threats as they are discovered. I would also like to say thank you to Curt Wilson of ASERT for his assistance with research covered in this post. ## IOCS ###### Con�guration elements and additional information for samples discussed in this article. ----- Name:STEP Democracy Year 1 Acheivements_25112015.exe Decoy Doc: STEP Democracy Year 1 Acheivements_25112015.docx Campaign ID: om C2s: jackhex.md5c.net:8080 jackhex.md5c.net:53 jackhex.md5c.net:53 Mutex: 20150120 Password: 18703983384 SHA1: 724166261e9c2e7718be22b347671944a1e7fded First Seen: Nov. 23, 2015 Name:Year1achievementsv2.exe Decoy Doc: Year1achievementsv2.docx Campaign ID: om C2s: jackhex.md5c.net:8080 jackhex.md5c.net:53 jackhex.md5c.net:53 Mutex: 20150120 Password: 15911117665 SHA1: 675a3247f4c0e1105a41c685f4c2fb606e5b1eac First Seen: April 7, 2016 Name: Commission on Filipinos Overseas & Dubai %E2%80%AEcod.doc Decoy Doc: Commission on Filipinos Overseas & Dubai.doc Campaign ID: gmkill C2s: webserver.servehttp.com:8080 webserver.servehttp.com:8080 webserver.servehttp.com:8081 Mutex: 20150120 Password: 13813819438 SHA1: 63e00dbf45961ad11bd1eb55dff9c2771c2916a6 First Seen: April 11, 2016 Name: 1.exe Decoy Doc: Chairman's Report of the 19th ASEAN Regional Forum Heads of Defence Universitie Campaign ID: mm20160405 Domain Created: December 17, 2015 C2s: admin.nslookupdns.com:81 admin.nslookupdns.com:53 admin.nslookupdns.com:8080 Mutex: 20150120 Password: 52100521000 SHA1: 31756ccdbfe05d0a510d2dcf207fdef5287de285 First Seen: March 20, 2016 Name: Unknown Decoy Doc: Robertus Subono‐REGISTRATION_FORM_ASEAN_CMCoord2016.docx Campaign ID: modth Domain Created: December 17, 2015 C2s: admin.nslookupdns.com:80 di l k d 53 ----- SHA1: ec646c57f9ac5e56230a17aeca6523a4532ff472 First Seen: March 10, 2016 Name: 2016.02.29‐03.04 ‐ASEM Weekly.docx.rar^2016.02.29‐03.04 ‐ASEM Weekly.docx.exe Decoy Doc: 2016.02.29‐03.04 ‐ASEM Weekly.docx (Mongolian language) Campaign ID: wj201603 Domain Created: January 14, 2016 C2s: web.microsoftdefence.com:8080 web.microsoftdefence.com:8080 web.microsoftdefence.com:80 Mutex: 20150120 Password: 80012345678 SHA1: f389e1c970b2ca28112a30a8cfef1f3973fa82ea Name: Unknown Decoy Doc: 1.docx (corrupted but recoverable, Korean language) First Seen: April 9, 2016 CampaignID: kk31 C2s: webserver.servehttp.com:59148 webserver.servehttp.com:59418 webserver.servehttp.com:5000 Mutex: 20160301 Password: 13177776666 SHA1: 49e36de6d757ca44c43d5670d497bd8738c1d2a4 Name: Unknown Decoy doc: 1.pdf, references project in Vietnam requesting an email to a Thailand email ad First Seen: March 10, 2016 C2s: webserver.servehttp.com:59148 webserver.servehttp.com:59418 webserver.servehttp.com:1024 Mutex: 20160219 Campaign ID: mt39 Discovered during investigation, but do not drop decoy docs, exhibited similar configurati SHA1: ef2618d58bd50fa232a19f9bcf3983d1e2dff266 Name: 2.tmp Decoy Doc: None First Seen: June 3, 2015 Domain Created: May 29, 2015 C2s: news.tibetgroupworks.com:80 news.tibetgroupworks.com:80 news.tibetgroupworks.com:80 Campaign ID: 213 Mutex: 2015012 ### SHA1 Hashes ----- ###### 49e36de6d757ca44c43d5670d497bd8738c1d2a4 cbbfc3b5�08de14fdb2316f3b14886dfe5504ef a7d206791b1cdec616e9b18ae6fa1548ca96a321 ec646c57f9ac5e56230a17aeca6523a4532�472 ef2618d58bd50fa232a19f9bcf3983d1e2d�266 f389e1c970b2ca28112a30a8cfef1f3973fa82ea ### Unique C2 Hostnames ###### news.tibetgroupworks.com web.microsoftdefence.com admin.nslookupdns.com jackhex.md5c.net webserver.servehttp.com **SEND FEEDBACK** Arbor’s Security Engineering & Response Team (ASERT) delivers world-class network security research and analysis for the bene�t of today’s enterprise and network operators ASERT engineers and researchers are part of an elite group of institutions ----- one operator and a majority of service provider networks globally. ASERT shares operationally viable intelligence with hundreds of international Computer Emergency Response Teams (CERTs) and with thousands of network operators via in-band security content feeds. ASERT also operates the world’s largest distributed honeynet, actively monitoring Internet threats around the clock and ® around the globe via ATLAS, Arbor’s global network of sensors: [http://atlas.arbor.net.](http://atlas.arbor.net/) ###### TAG CLOUD [Black Peace Group](https://www.arbornetworks.com/blog/asert/tag/black-peace-group/) [Attacks](https://www.arbornetworks.com/blog/asert/tag/attacks/) [algorithm](https://www.arbornetworks.com/blog/asert/tag/algorithm/) [Aldi](https://www.arbornetworks.com/blog/asert/tag/aldi/) [504](https://www.arbornetworks.com/blog/asert/tag/504/) [tra�c](https://www.arbornetworks.com/blog/asert/tag/traffic/) [network](https://www.arbornetworks.com/blog/asert/tag/network/) [Iran](https://www.arbornetworks.com/blog/asert/tag/iran/) [Internet Protocol](https://www.arbornetworks.com/blog/asert/tag/internet-protocol/) [hijack](https://www.arbornetworks.com/blog/asert/tag/hijack/) [Facebook](https://www.arbornetworks.com/blog/asert/tag/facebook/) Dirt Jumper [Danny McPherson](https://www.arbornetworks.com/blog/asert/tag/danny-mcpherson/) [China](https://www.arbornetworks.com/blog/asert/tag/china/) [Bot Wikileaks IPv6 Armageddon YouTube](https://www.arbornetworks.com/blog/asert/tag/bot/) [Security](https://www.arbornetworks.com/blog/asert/tag/security/) ### Botnet Internet service provider Internet tra�c Google ##### outage Arbor Networks - DDoS Experts BGP peering "End of Internet" Botnets Crypto [Denial-of-service attack](https://www.arbornetworks.com/blog/asert/tag/denial-of-service-attack/) [down](https://www.arbornetworks.com/blog/asert/tag/down/) [Halloween](https://www.arbornetworks.com/blog/asert/tag/halloween/) [internet](https://www.arbornetworks.com/blog/asert/tag/internet/) [IPv4](https://www.arbornetworks.com/blog/asert/tag/ipv4/) [malware](https://www.arbornetworks.com/blog/asert/tag/malware-2/) [Streaming media](https://www.arbornetworks.com/blog/asert/tag/streaming-media/) [500 Internal DDoS](https://www.arbornetworks.com/blog/asert/tag/500-internal-ddos/) [AlbaDDoS](https://www.arbornetworks.com/blog/asert/tag/albaddos/) [Aldi Bot](https://www.arbornetworks.com/blog/asert/tag/aldi-bot/) [attack](https://www.arbornetworks.com/blog/asert/tag/attack/) [Beer DDoS](https://www.arbornetworks.com/blog/asert/tag/beer-ddos/) [Blog](https://www.arbornetworks.com/blog/asert/tag/blog/) ----- ----- ----- ----- ----- ----- ----- ----- **[CORPORATE SITE](https://www.arbornetworks.com/)** **[PRIVACY POLICY](https://www.arbornetworks.com/privacy-policy/)** **[THREAT PORTAL](https://www.arbornetworks.com/threats/)** **[LEGAL](https://www.arbornetworks.com/legal-notice/)** **[ATLAS PORTAL](http://atlas.arbor.net/)** © 2016 Arbor Networks, Inc. All rights reserved. -----