Understanding why Poison Ivy remains one of the most widely used RATs is easy. Controlled through a familiar Windows interface, it offers a bevy of handy features: key logging, screen capture, video capturing, file transfers, password theft, system administration, traffic relaying, and more.
Here is how a typical Poison Ivy attack works:
The attacker sets up a custom PIVY server, tailoring details such as how Poison Ivy will install itself on the target computer, what features are enabled, the encryption password, and so on.
The attacker sends the PIVY server installation file to the targeted computer. Typically, the attacker takes advantage of a zero-day flaw. The target executes the file by opening an infected email attachment, for example, or visiting a compromised website.
The server installation file begins executing on the target machine. To avoid detection by anti-virus software, it downloads additional code as needed through an encrypted communication channel.
Once the PIVY server is up and running on the target machine, the attacker uses a Windows GUI client to control the target computer.