FreeHosting APT PowerSploit Poison Ivy: A Sophisticated Cyber Attack Targeting Selected Users

The Internet is becoming more and more dangerous these days. Various sophisticated attacks are targeted at Internet users. FreeHosting APT PowerSploit Poison Ivy is one of these attacks that affected a handful of users back in 2017. Even though it is a thing of the past, it does not mean that the attack cannot be repeated or similar ones based on its modus operandi performed by hackers, so we would like to tell you more about it. FreeHosting APT PowerSploit Poison Ivy no doubt belongs to the sophisticated cyber attacks category since it consists of two major elements: a free hosting provider that contains a malicious VBScript and the PoisonIvy RAT (a Remote Access Trojan) that was injected into affected users’ systems without their knowledge. There is probably no need to say that affected users were not informed about the entrance of harmful malware on their computers. The exact number of users the FreeHosting APT PowerSploit Poison Ivy cyber attack affected is unknown, but if you can remember clicking on a link inside an email, it would be clever to scan the system with an antimalware scanner. If it turns out that you have fallen victim to FreeHosting APT PowerSploit Poison Ivy and have RAT active on your system, you must take action immediately.

The FreeHosting APT PowerSploit Poison Ivy cyber attack begins with sending out email messages containing a malicious link to selected users. Once the person who receives that email clicks on the link, the malicious VBScript is launched. It then immediately executes a CMD command: powershell.exe -w hidden -ep bypass. Mainly, the purpose of this command is to hide the output and disable authentication. Then, the script downloads a file Meeting_summary.doc and executes it. As you can see, the file is named as an ordinary document, so it is not a surprise that so many unsuspecting users fall for it. Once the .doc file is opened using MS Word, another Powershell script encoded using Base64 (just like the primary VBScript) is downloaded automatically. More attentive users might be able to notice a new process named userinit.exe created in Task Manager in that phase of the cyber attack. There is probably no need to say that the process is fake. Soon after the process is created, the script injects the so-called Shellcode into it. Additionally, the PoisonIvy RAT is injected into the computer. Once this takes place, the second Shellcode is injected into the process. Finally, the malicious process created in Task Manager creates Plug1.dat that establishes communication with its C&C server. This file might be used to collect some information about the victim and his/her machine. Also, it might monitor all new connections and extract some information about the affected PC from the system registry. These details include the type of OS, processor architecture, processor type, existing directories, and much more.

Speaking about PoisonIvy RAT, which is dropped on the affected victim’s computer without his/her knowledge, it is a free tool that is often leveraged by threat actors due to being free and easy-to-use. Just like similar Remote Access Trojans, it is used to control a compromised system remotely. It has many capabilities, including keylogging, screenshot taking, spying on victims using a webcam, installing malware, obtaining login and password combinations, monitoring processes active on the system, deleting important applications installed on the system, and much more. Additionally, RAT might connect the compromised machine to a botnet and spread further using it.

Theoretically, it is possible to remove all malicious components manually, but if it has turned out that PoisonIvy RAT has been sitting on your system since 2017, you should perform an in-depth system scan using an automated malware remover since it is very important to remove its components all at once to disable it. Additionally, it could have already downloaded and installed a bunch of new malicious applications on your system. The easiest way to get rid of them all is to use an antimalware scanner. Specialists say that FreeHosting APT PowerSploit Poison Ivy is only one example of planned attacks targeted at a particular group of users, so you should be more careful from now on. First of all, you should quit your bad habit to open all email attachments and download software from shady websites. Second, you simply cannot leave your system unprotected if you do not want to become a victim of a new cyber attack in the near future.