Poison Ivy is a Remote Access Tool (RAT) that is commonly leveraged by threat actors because it is free and easy to use.  It provides a quick and feature-rich platform for controlling a compromised system.  Installing a C2 server and building a malware sample can be done with a few mouse clicks.  Below are the steps required to setup the C2 server and create the malicious binary for compromising the victim.

Setting up Poison Ivy Server and Client:

Opening the extracted PI binary:

pi1

Creating a new profile to setup a new malware sample:

p1

Supply the connection information for the sample.  Here we specify the IP and port for the PI client binary to connect to and the password to use for the connection.

p2

Next you setup the persistence mechanism for the Poison Ivy binary.  You can setup where you want the binary to be copied to once executed, and if you’d like the file to use alternate data streams which will hide the file from normal browsing:

p3

Next you can setup the advanced features including a mutex creation, process injection, keylogger functionality, and file format:

p4

Finally you can add in a 3rd party utility to pack the binary and click “Generate”:

p5

Now that you have the binary created you can setup the Poison Ivy listening service on the C2 server.  Here we are using the default settings because we configured the client binary with default settings:

p6

Once the binary is distributed to the victim machine and launched it will connect back to the C2 server to spawn the remote session:

p7

Below is the main GUI screen to interface with the compromised machine.  The list on the left hand side shows the various types of actions you can perform on the compromised machine:

pi_interface

Screen Shot of the victim machine:

pi_ss

Keylogger Functionality:

pi_keylogger

Invoke a remote shell (select Remote Shell > Right-Click > Activate):

pi_shell

Modify the victim’s registry:

p12

Extract password hashes:

p13

Pwning Poison Ivy Server:

The Poison Ivy listening service on the C2 server is vulnerable to a stack based buffer overflow condition.  Below is a video showing how to exploit the PI server using Metasploit:

Scanning for Poison Ivy C2 Servers:

AlienValut Labs posted some logic to detect the presence of a PI server.  Below is a script that is available in our Github repository and applies the logic from AlienVault Labs to detect the PI listening service:

pi_scanner_001

The script is invoked with “-t” for the target host and “-p” for the target port.  It’s common to see PI servers listening on one of the following ports 3460, 80, 443, 8080, and 8000.  Below is the scripts output:

pi_scanner