14 DAY TRIAL // A new variant of the PoisonIvy RAT identified by researchers from Trend Micro uses an interesting technique to evade being detected.
The sample, detected by Trend Micro as BKDR_POISON.BTA, abuses the VMWare Network Install Library Executable (vnetlib.exe) to load.
When vnetlib.exe is executed, it loads a DLL file called newdev.dll. However, since PoisonIvy is also disguised as newdev.dll, the malware is loaded instead of the legitimate file.
Once loaded, the threat creates registry entries to make sure it’s executed on every startup. In addition, in injects itself into a web browser process so that it can bypass firewalls.
The loading technique observed in this sample, also known as a DLL preloading attack or binary planting, has been utilized by another famous RAT, PlugX.
The fact that PoisonIvy now uses this technique isn’t very surprising, considering that the cybercriminals behind the two threats appear to be somehow connected.