Chapter 1 Overview
1. Main Findings
Through research, 360 Helios Team has found that, since 2007, the Poison Ivy Group has carried out 11 years of cyber espionage campaigns against Chinese key units and departments, such as national defense, government, science and technology, education and maritime agencies. The group mainly targets military industry, Sino-US relations, cross-strait relations and ocean-related fields. It indicates that the group’s interest is similar to that of our previously published OceanLotus APT Group.
360 Helios Team captured the first Trojan of the Poison Ivy Group in December 2007. In the following 11 years, we have captured 13 versions of malicious code, involving 73 samples. In the initial attack, the Group mainly used spear phishing emails. Before the attack, the target was deeply investigated and carefully selected. Contents that are closely related to the target industry or field were used to construct the bait files and emails, such as specific conference materials, researches or announcements. The lure documents contain 10 vulnerable document samples, including a 0day vulnerability. Infections of this Trojan are distributed in 31 provincial-level administrative regions. The number of C&C domain names is 59 located in 4 different countries or regions according to the returned addresses.
In this cyber espionage campaign that lasted for 11 years in China, the following points in time are worthy of attention:
- In December 2007, the Trojan associated with the group was first discovered. Involving marine related fields (suspected to be related to a large shipping company)
- In March 2008, a key laboratory (a scientific research institution) of a university in China was attacked
- In February 2009, attacks against the military industry began (a well-known military journal magazine)
- In October 2009, the Trojan added a special method of combating static scanning (API string reverse order), and the methods were used in most versions of Trojans and continued to be applied to 2018.
- In December 2011, the Trojan added a special method to combat dynamic detection (error API parameters), and related methods were used in most versions of Trojans and continued to be applied to 2015.
- In February 2012, the first modified version of backdoor 1 based on zxshell code was discovered. The key function is to steal document files such as .doc.ppt.xls.wps.
- In March 2013, intense attacks were constructed targeting Chinese Academy of Sciences and a number of national ministries and commissions in the fields of science and technology, maritime affairs, etc.
- In October 2013, carried out watering hole attack on a Chinese government website
- In May 2014, the revolted version 2 of zxshell modified version of Backdoor 1 was discovered. In addition to the function based on the modified version 1, the search for keywords such as "military (军)", "aviation (航)", and "report (报告)" was added.
- On September 12, 2014, events and samples related to CVE-2014-4114 (0day vulnerability) were first discovered.
- On October 14, 2014, iSIGHT released the relevant report and disclosed CVE-2014-4114 (0day vulnerability). On the same day, Microsoft released relevant security bulletins.
- On February 25, 2015, an attack on a military industry association (national defense technology) and the Chinese Academy of Engineering was detected. Kanbox (酷盘) samples were discovered.
- In October 2017, the CVE-2017-8759 vulnerability document was used to initiate a spear phishing attack on a large media agency website and an individual working in Quanzhou.
- In April 2018, the 360 Threat Intelligence Center disclosed the attack malicious code of the group, exploring CVE-2017-8759.
- In May 2018, the actor launched attacks against several maritime organizations such as shipbuilding companies and port operating companies.
Note: The above first attack time is based on the existing statistics we have. It does not mean that we have known all the attacks and behaviors of the organization.
2. About the Codename of the Group
Since 2015, APT researches in China has gradually started and accelerated. Following the exposure of APT organizations such as “OceanLotus” and “LanBao Mushroom”, the Poison Ivy Group (APT-C-01) is another APT organization that launches persistent attacks targeting government, military, and maritime organizations and stealing sensitive information.
This cyberespionages group was independently discovered by 360 and was first disclosed previously with part of the information. The code-naming is in line with 360’s naming standard for APT organizations.
360 Threat Intelligence Center named the APT-C-01 organization "Poison Ivy", mainly considering the following factors: First, the organization used Poison Ivy Trojans in several attacks. Second, the attack organization used the Cloud disk as a springboard to transmit information. This is similar to the feature of vines that can climb across the wall. According to the 360 Threat Intelligence Center's naming rules for APT organizations (see the report: China APT Annual Report 2016). Considering the common vine plants in the associated areas of the Group, APT-C-01 is named "Poison Ivy".
In addition, Antiy Lab revealed the APT organization "Green Spot" on September 19, 2018. According to the mutual recognition agreement between 360 Threat Intelligence Center and Antiy Lab, the “Poison Ivy” (APT-C-01) and “Green Spot” are different names for the same group. Therefore, we have also announced our discovery.
Chapter 2 Purposes and Victims
The main purpose of the attacks is to steal data from the Chinese government and scientific research institutions, which are mainly documents. The following keywords and extension are what the actor searched for :
- Key words: