Hong Kong democracy activists targeted by Poison Ivy variant

News by Tom Reeve

Pro-democracy activists in Hong Kong are being targeted by a new variant of Poison Ivy, a malware package that previously hadn't seen an update in six or seven years.  

According to Unit 42 security researchers at Palo Alto Networks, detection rates for both anti-virus and intrusion detection systems has been very low for Poison Ivy despite its simplicity and ubiquity.

Poison Ivy – sometimes referred to as PIVY – is a remote access tool that provides a convenient graphical user interface that is ideal for low-skilled hackers. It provides a range of tools for managing compromised computers and provides a range of additional tools to use once a beachhead has been established in the victim's network.

The package was last updated – at least publicly – in 2008 but Unit 42 said it saw a new version of PIVY which uses DLL Sideloading. It was observed in the wild being deployed by exploiting CVE-2015-2545, the Microsoft Office malformed EPS file vulnerability.

Unit 42 aren't the only researchers to discover a new variant of PIVY. The Japan Computer Emergency Response Team (J-CERT) also discovered a variant to Poison Ivy which it blogged about in July last year and which also used DLL sideloading.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews