Full Report
Hey all, So following on from my talk (slides, video) I am releasing the NMAP service probes and the Poison Ivy NSE script as well as the DarkComet config extractor. Rat a-tat-tat from SensePost nmap-service-probes.pi poison-ivy.nse extract-DCconfig-from-binary.py An example of finding and extracting Camellia key from live Poison Ivy C2’s: nmap -sV -Pn --versiondb=nmap-service-probes.pi --script=poison-ivy.nse Finding Poison Ivy, DarkComet and/or Xtreme RAT C2’s: nmap -sV -Pn --versiondb=nmap-service-probes.pi
Analysis Summary
# Tool/Technique: Poison Ivy NSE Script & DarkComet Config Extractor (Part of RAT-a-tat-tat)
## Overview
The release from SensePost, associated with the "RAT-a-tat-tat" presentation, includes specific tools designed to aid in the detection and analysis of two distinct families of Remote Access Trojans (RATs): Poison Ivy and DarkComet. This includes an Nmap Scripting Engine (NSE) script for Poison Ivy and a Python script for extracting DarkComet configurations.
## Technical Details
- Type: Tool (NSE Script/Utility)
- Platform: Detection/Extraction tools target live services/binaries often associated with Windows malware.
- Capabilities:
- **Poison Ivy NSE Script:** Detection and potential interaction/key extraction from live Poison Ivy C2 communications.
- **DarkComet Config Extractor:** Extracts configuration data embedded within DarkComet binary files.
- **NMAP Service Probes:** Updated probes to enhance service version detection, specifically to aid in identifying these RAT services.
- First Seen: Information released around November 22, 2013.
## MITRE ATT&CK Mapping
Since these are detection/analysis tools rather than the malware itself, the mappings below reflect techniques used by the **identified malware families (Poison Ivy/DarkComet)**, which these tools help uncover.
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (C2 often tunnels over standard protocols)
- T1071.004 - Named Pipe (Poison Ivy/DarkComet often use various channels)
## Functionality
### Core Capabilities
- **Poison Ivy Identification:** Using the custom NSE script (`poison-ivy.nse`) with version detection (`-sV`), researchers can scan infrastructure for active Poison Ivy C2 listeners scanning default/known ports.
- **DarkComet Configuration Extraction:** The Python script (`extract-DCconfig-from-binary.py`) reads a DarkComet executable to pull out embedded configuration details, which often include C2 addresses, ports, and other settings.
### Advanced Features
- **Camellia Key Extraction (Poison Ivy):** The mention of extracting the Camellia key from live Poison Ivy C2s suggests the NSE script can inspect network traffic/handshakes to retrieve cryptographic keys used for C2 encryption. This is crucial for decrypting subsequent communications.
## Indicators of Compromise
*Note: The article primarily provides tools for *finding* IoCs embedded in configurations or network traffic, rather than listing known IoCs.*
- File Hashes: N/A (Tools provided)
- File Names: `poison-ivy.nse`, `extract-DCconfig-from-binary.py`, `nmap-service-probes.pi`
- Registry Keys: N/A
- Network Indicators: The tools are used to *discover* C2s associated with **Poison Ivy** and **DarkComet**. (Specific IoCs not provided in the summary text).
- Behavioral Indicators: Network scanning behavior using NMAP flags: `-sV -Pn --versiondb=<probes> --script=<script>` targeting specific service banners.
## Associated Threat Actors
- **Poison Ivy:** Widely used by various Chinese-linked Advanced Persistent Threat (APT) groups and cybercriminal organizations.
- **DarkComet:** Popular consumer/criminal RAT, often associated with general cybercrime and smaller threat groups prior to its official discontinuation.
## Detection Methods
- **Signature-based detection:** Using the custom NMAP probes database to define signatures for the unique service banners associated with these RATs.
- **Script-based detection:** Running the provided NSE script (`poison-ivy.nse`) against network segments to actively query and identify running C2 services.
- **Configuration Analysis:** Using the Python utility to analyze malware binaries offline to extract hardcoded C2 infrastructure.
## Mitigation Strategies
- **Network Segmentation:** Restrict outbound connections to known hostile IPs or specific required ports to limit potential C2 callback channels.
- **Host Hardening:** Ensure remote desktop and unnecessary administrative protocols are disabled or tightly controlled.
- **Application Control:** Block execution of suspicious binaries (like RAT installers/executables).
- **Endpoint Detection and Response (EDR):** Monitor for typical RAT behaviors, such as unauthorized remote file access or unusual process injection.
## Related Tools/Techniques
- **Poison Ivy:** Known RAT family.
- **DarkComet:** Known RAT family (often associated with malware loaders prior to 2013).
- **Xtreme RAT:** Also mentioned in the context of the NMAP detection commands, suggesting similar scanning methodologies apply.
- **Nmap Scripting Engine (NSE):** The primary framework used to deploy the detection logic.