• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   PoisonIvy Uses Legitimate Application as Loader

PoisonIvy Uses Legitimate Application as Loader

  • Posted on:June 20, 2013 at 6:48 pm
  • Posted in:Malware
  • Author:
    Abraham Camba (Threat Researcher)
2

I recently obtained a PoisonIvy sample which uses a legitimate application in an effort to stay under the radar.

In this case, the PoisonIvy variant detected as BKDR_POISON.BTA (named as newdev.dll) took advantage of a technique known as a DLL preloading attack (aka binary planting) instead of exploiting previously known techniques. The malware was located in the same folder as the legitimate application, vnetlib.exe (VMware Network Install Library Executable). Executing vnetlib.exe automatically loads BKDR_POISON.BTA instead of the legitimate newdev.dll, or Add Hardware Device Library located in the %System% folder. Once the malware loads, it creates a registry entry which enables automatic execution of vnetlib.exe at every startup. BKDR_POISON.BTA then launches a hidden web browser process (iexplore.exe) into which it injects its code. The said code contains its backdoor routines which aids in bypassing firewalls.

We also observed that the number of export functions of BKDR_POISON.BTA differ from the number of export functions of the legitimate newdev.dll. This is probably because BKDR_POISON.BTA only needed to export the function that vnetlib.exe imports.

Figure 1. Exported functions of BKDR_POISON.BTA newdev.dll (L) versus the legitimate newdev.dll (R)

Figure 2. Functions vnetlib.exe imported from newdev.dll

A New Technique? Not Really.

The usage of DLL preloading, per se, is not new. This technique is known to be utilized by PlugX, which is why its usage by PoisonIvy is notable.

In our previous post we concluded that the cybercriminals behind PoisonIvy and PlugX campaigns are somehow related. This might mean that the cybercriminals are gearing toward using the DLL preloading technique for future variants. They might have observed that using the DLL for the PlugX successfully kept their malicious activities hidden.

There was a previous instance where PoisonIvy samples used the DLL preloading aka binary planting technique. The sample arrived as an attached archived file in spear phishing emails sent to a Japanese organization. The archived file’s content is a normal document file and a DLL file named imeshare.dll, detected by Trend Micro as BKDR_POISON.DMI (Note that there is a legitimate DLL named imeshare.dll located in the %System% folder). Opening the normal document file will trigger BKDR_POISON.DMI to load via DLL preloading.

Since PoisonIvy is stable and have been in the wild for several years, it’s highly likely that they decided reuse the DLL preloading technique in their campaigns but simply changed its infection vector to avoid detection. Though these efforts to evade anti-malware scanning are not in itself groundbreaking, this development in PoisonIvy supports our prediction that conventional malware threats will only gradually evolve, with few, if any; new threats and attacks that will become more sophisticated in terms of deployment.

Trend Micro users are protected by the Smart Protection Network. In particular, file reputation service detects and deletes Poison Ivy (BKDR_POISON) and PlugX (BKDR_PLUGX and TROJ_PLUGX) variants.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: backdoorbinary plantingDLL preloadingPoisonIvy

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.