Email Trojan Targets Chemical, Defense Industries

Friday, August 17, 2012 @ 02:08 PM gHale

A mass targeted email attack campaign against several high-value industries is using a Trojan that employs rigged PDFs to deliver its payload.

Targeted organizations include the defense, chemical, technology, and aerospace industries, and the MyAgent Trojan is primarily spreading through email as a zipped .exe file or PDF attachment, said researchers at the FireEye Malware Intelligence Lab.

EPA Breach: Virus in Email
Chem Co. Halts USB Stick Attack
Maplesoft Suffers Trojan Attack
Exploit Determines OS, then Attacks

MyAgent, once executed, opens a PDF file titled “Health Insurance and Welfare Policy” and then drops a second executable, entitled “ABODE32.exe,” in the temp directory, said FireEye in their report.
The “ABODE32.exe” executable accesses Windows Protected Storage, which holds the passwords for IE, Outlook, and other applications.

Once the Trojan infects its host machine, it communicates with its command and control server, the user agent string and URI of which are hard-coded into MyAgent’s binary. In addition to this, FireEye has noticed the malware loading different DLLs to communicate with its C&C. Despite MyAgent’s relatively high detection rate, its dynamic intermediary stages place it among what FireEye considers advanced malware.

JavaScript within the PDF variety of MyAgent determines which version of Adobe Reader is running on its host and then deploys well-known exploits tailored to the specific version. If the machine is running any of Reader 9.0’s predecessors, then MyAgent exploits the ‘Collab.getIcon()’ vulnerability.

Up to date antivirus products can easily detect the majority of MyAgent’s payloads.

Leave a Reply

You must be logged in to post a comment.