Trend Micro Uncovers Interesting Variant of PoisonIvy RAT
Investigators at Trend Micro have identified one fresh version of PoisonIvy the notorious Remote Access Tool that utilizes one fascinating tactic for bypassing detection.
The variant, which Trend Micro identified to be BKDR_POISON.BTA, loads itself by exploiting vnetlib.exe the VMware Network Install Library Executable.
Whenever vnetlib.exe is run, the variant plants 'newdev.dll,' name of one DLL file. Nonetheless, as PoisonIvy too comes camouflaged as newdev.dll, rather than the legitimate document, it's the malware that gets installed.
Subsequent of the installation, PoisonIvy opens registries towards ensuring it becomes active whenever the computer boots. Further, it inserts itself inside any of the browser processes thus helping it evade security defenses like firewalls.
Now, PoisonIvy's (new variant) installation method, also called binary planting or Dynamic Link Library (DLL) preloading assault, has been a chosen method of PlugX too, another notorious RAT.
Moreover, with PoisonIvy currently utilizing the said method, it's little astonishing given that those perpetrating the dual malware programs seem as somewhat interlinked.
Indeed, the meaning of this observation could be that the online-crooks have begun applying the Dynamic Link Library preloading tactic with respect to future samples. For, it's possible they've noticed that in the case of PlugX the utilization of DLL enabled keeping its malevolent operations concealed.
In one earlier incident wherein PoisonIvy variants utilized the binary installing method aka DLL preloading, the variant came like a .zip file attachment within personalized phishing e-mails also called spear-phishing messages that were dispatched to an organization in Japan. The .zip attachment contained one ordinary document file along with one imeshare.dll DLL file that Trend Micro identified to be BKDR_POISON.DMI. When the ordinary file was viewed, it unleashed the BKDR_POISON.DMI that planted with the DLL preloading technique.
PoisonIvy is unwavering as also been into existence since many years, therefore, it is greatly possible that its perpetrators took to again using the binary planting method within their schemes, however, merely altered its infection medium for eschewing detection.
Meanwhile, the PoisonIvy development backs Trend Micro's forecast that traditional malicious software are set to evolve only slowly, with some fresh ones sure to get more advanced during their launches.
» SPAMfighter News - 27-06-2013