Poison Ivy Group: 11 years of cyber espionage campaigns

Poison Ivy Group is known for their attacks which focus on stealing data from the Chinese government and scientific research institutions. Their attacks mainly focus on documents.

Distribution map of infected areas in China

In the research which was performed by 360.cn, it was made clear that the keywords which are used for targeting documents are: 

“201”,“2014”,“2015年”,“报”,“报告”,“兵”,“部队”,“对台”,“工作”,“规划”,“国”,“国际”,“航”,“合作”,“机”,“机场”,“基地”,“极地”,“军”,“军事”,“科技”,“密”,“内部”,“十”,“十三”,“台”,“台湾”,“铁路”,“无人”,“项”,“雪”,“研”,“运输”,“战”,“站”,“中”

The attacks focus on the following extensions:

“doc”,“ppt”,“xls”,“pdf”,“rtf”,“rar”,“wps”,“doc”,“ppt”,“xls*”

The 360 report, stated that in the last 11 years, this cyber espionage campaign, has some interesting values that should get some attention:

  • In December 2007, the Trojan associated with the group was first discovered. Involving marine related fields (suspected to be related to a large shipping company)
  • In March 2008, a key laboratory (a scientific research institution) of a university in China was attacked
  • In February 2009, attacks against the military industry began (a well-known military journal magazine)
  • In October 2009, the Trojan added a special method of combating static scanning (API string reverse order), and the methods were used in most versions of Trojans and continued to be applied to 2018.
  • In December 2011, the Trojan added a special method to combat dynamic detection (error API parameters), and related methods were used in most versions of Trojans and continued to be applied to 2015.
  • In February 2012, the first modified version of backdoor 1 based on zxshell code was discovered. The key function is to steal document files such as .doc.ppt.xls.wps.
  • In March 2013, intense attacks were constructed targeting Chinese Academy of Sciences and a number of national ministries and commissions in the fields of science and technology, maritime affairs, etc.
  • In October 2013, carried out watering hole attack on a Chinese government website
  • In May 2014, the revolted version 2 of zxshell modified version of Backdoor 1 was discovered. In addition to the function based on the modified version 1, the search for keywords such as “military (军)”, “aviation (航)”, and “report (报告)” was added.
  • On September 12, 2014, events and samples related to CVE-2014-4114 (0day vulnerability) were first discovered.
  • On October 14, 2014, iSIGHT released the relevant report and disclosed CVE-2014-4114 (0day vulnerability). On the same day, Microsoft released relevant security bulletins.
  • On February 25, 2015, an attack on a military industry association (national defense technology) and the Chinese Academy of Engineering was detected. Kanbox (酷盘) samples were discovered.
  • In October 2017, the CVE-2017-8759 vulnerability document was used to initiate a spear phishing attack on a large media agency website and an individual working in Quanzhou.
  • In April 2018, the 360 Threat Intelligence Center disclosed the attack malicious code of the group, exploring CVE-2017-8759.
  • In May 2018, the actor launched attacks against several maritime organizations such as shipbuilding companies and port operating companies.

Resources used:

  • http://blogs.360.cn/post/APT_C_01_en.html