Researchers uncovered the resurgence of APT-C-01, also known as the Poison Ivy group, an advanced persistent threat organization notorious for its sustained cyber attacks.
This group has been actively targeting sectors such as defense, government, technology, and education since 2007, utilizing sophisticated phishing techniques including watering hole phishing and spear phishing.
Recent threat-hunting activities have revealed an uptick in Poison Ivy’s operations. Investigators have discovered the group mimicking official websites to create convincing phishing pages.
Upon visiting these sites, victims unknowingly trigger the automatic download of malicious payloads designed to deploy the Sliver Remote Access Trojan (RAT).
This malware facilitates unauthorized access, allowing the attackers to steal sensitive information and conduct remote operations.
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar
Attack Analysis
Poison Ivy’s modus operandi involves creating near-identical copies of legitimate websites. Upon accessing these spoofed sites, the target automatically downloads a malicious loader, disguised with a PDF icon to avoid suspicion.
This loader is a heavily obfuscated .NET compiled Portable Executable (PE) file, configured to decrypt an initial URL along with a specific AES key and initialization vector.
It subsequently downloads, decrypts, and executes shellcode that loads the final Sliver RAT component.
Security analysts have isolated and scrutinized several samples of this loader. A notable sample, disguised as “auto-download.zip,” measures 119.50 KB and has an MD5 hash of 61c42751f6bb4efafec524be23055fba.
Upon execution, this file decrypts a specially encrypted payload embedded within the shellcode, ultimately loading the Sliver RAT into memory.
Sliver is an open-source, cross-platform command-and-control (C2) framework written in Golang, capable of operating on Windows, Linux, and macOS.
Its features include file manipulation, process operations, privilege escalation, process injection, lateral movement, remote shell execution, and obfuscation of function names to evade detection.
The persistence of APT-C-01 and their adept use of deceptive phishing strategies underscore the importance of heightened cybersecurity awareness.
Organizations and individuals are urged to exercise caution with unfamiliar links and email attachments to prevent potential breaches of sensitive information.
Maintaining robust security practices is essential to defending against such sophisticated cyber threats.
Analyse Advanced Malware & Phishing Analysis With ANY.RUN Black Friday Deals :Â Get up to 3 Free Licenses.
Indicators of Compromise for SOC/DFIR Teams
D5:
- 61c42751f6bb4efafec524be23055fba
- 3bd15b16a9595d20c0e185ab1fae738f
- 7f0dba2db8c3fdd717d83bb693b3ade9
- 88e306f4d6a33703316e794a9210f528
- 3a74ed8d1163d1dbc516410d1b8081fa
C2:
- 165.22.97[.]48
- 158.247.208[.]174
- 128.199.134[.]3
caac-cn[.]org
caac-cn[.]com