It always seems to be a cat and mouse game as a new variant of the PoisonIvy RAT uses an interesting technique to evade detection, researchers said.
The sample, detected as BKDR_POISON.BTA, abuses the VMware Network Install Library Executable (vnetlib.exe) to load, said researchers at Trend Micro.
When vnetlib.exe executes, it loads a DLL file called newdev.dll. However, since PoisonIvy also disguises as newdev.dll, the malware loads instead of the legitimate file.
Once loaded, the threat creates registry entries to make sure it executes on every startup. In addition, in injects itself into a web browser process so that it can bypass firewalls.
The loading technique, also known as a DLL preloading attack or binary planting, is also seeing use by another known RAT, PlugX.