Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
Poison Ivy RAT Receives Update Just in Time to Spy on Hong Kong Protesters
#1
[Image: poison-ivy-rat-receives-update-just-in-t...3298-2.png]
An RAT (Remote Access Trojan) created at the start of the 2000s and then abandoned in 2008 has received a surprising update and is now being used to target pro-democracy organizations and supporters in Hong Kong.

Computer malware is never effective more than one-two years, mainly due to the rapid evolution of the underlying operating systems. In terms of malware age, Poison Ivy (PIVY) is a very very, very old tool.

Nevertheless, in its heyday, Poison Ivy was one of the criminal underground's top tools, mainly used due to its low antivirus detection rate and its simplistic GUI that allowed even non-technical users to utilize it without too many headaches.
"Eight years later, Poison Ivy receives an update"

On record, the last update Poison Ivy has received is 2.3.2 in 2008. According to surprised researchers from Palo Alto's Unit42 security forensics team, this RAT has recently received an update and has only been deployed in cyber-espionage campaigns against pro-democracy groups in Hong Kong, who have organized and participated in public protests for the past year.

According to the security firm, organizations, and individuals involved in these pro-democracy movements have started to receive spear-phishing emails that contained malicious Word files.

To lure victims into downloading and opening these files, they all have appealing titles for someone involved in freedom campaigns. The emails say the file attachments contain information about recent events, March-April 2016, and range from mandatory courses for school children to details about the Mong Kok riot, and a wreath laying event for the Tiananmen Square massacre.
"New Poison Ivy version uses DLL hijacking, code obfuscation"

If users open these documents, by leveraging a vulnerability in the Microsoft Office package (CVE-2015-2545), attackers are infecting targets with the latest version of the Poison Ivy RAT, nicknamed by Palo Alto as SPIVY.

SPIVY would then go to use DLL hijacking techniques to load its malicious code in running OS processes and start a connection with its C&C servers, from where attackers are sending orders and stealing data.

This tactic is not new, and Hong Kong pro-democracy organizations have been targeted in the past before, along with other targets in Taiwan. In most attacks, the targets have different political views from China's main policies, so someone could quickly jump to conclusions, even if researchers have declined to launch official accusations.
source
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  OPSWAT Receives $125 Million Investment from Brighton Park Capital mrtrout 0 1,977 04-02-2021 , 11:10 PM
Last Post: mrtrout
  Avast relocates Hong Kong VPN servers mrtrout 0 1,135 07-23-2020 , 03:43 AM
Last Post: mrtrout
  Fake Movie File Infects PC to Steal Cryptocurrency, Poison Google Results Mohammad.Poorya 0 1,637 01-15-2019 , 04:45 AM
Last Post: Mohammad.Poorya
  Windows 10 Receives Antivirus Patch Fixing Flaw Found by Google Researcher mrtrout 0 1,728 04-04-2018 , 08:40 PM
Last Post: mrtrout
  AppGuard® Receives Army Certificate of Networthiness (CoN) scot 0 2,360 03-09-2017 , 08:59 AM
Last Post: scot

Forum Jump:


Users browsing this thread: 1 Guest(s)