Pro-democracy activists in Hong Kong are being targeted by a new variant of Poison Ivy, a malware package that previously hadn't seen an update in six or seven years.
According to Unit 42 security researchers at Palo Alto Networks, detection rates for both anti-virus and intrusion detection systems has been very low for Poison Ivy despite its simplicity and ubiquity.
Poison Ivy – sometimes referred to as PIVY – is a remote access tool that provides a convenient graphical user interface that is ideal for low-skilled hackers. It provides a range of tools for managing compromised computers and provides a range of additional tools to use once a beachhead has been established in the victim's network.
The package was last updated – at least publicly – in 2008 but Unit 42 said it saw a new version of PIVY which uses DLL Sideloading. It was observed in the wild being deployed by exploiting CVE-2015-2545, the Microsoft Office malformed EPS file vulnerability.
Unit 42 aren't the only researchers to discover a new variant of PIVY. The Japan Computer Emergency Response Team (J-CERT) also discovered a variant to Poison Ivy which it blogged about in July last year and which also used DLL sideloading.