Email trojan tageting defense, aerospace and other industries

21st Aug 2012 0 Comments

What appears to be a targeted attack campaign against several high value industries is using a trojan that employs rigged PDFs to deliver its payload. Targeting organizations in the defense, chemical, technology, and aerospace industries, the MyAgent trojan is primarily spreading through email as a zipped .exe file or PDF attachment, according to researchers at the FireEye Malware Intelligence Lab. FireEye examined a sample of MyAgent that, once executed, opens a PDF file titled ―Health Insurance and Welfare Policy‖ and then drops a second executable, titled ―ABODE32.exe,‖ in the temp directory, they say in their report. FireEye notes the ―ABODE32.exe‖ executable accesses Windows Protected Storage, which holds the passwords for Internet Explorer, Outlook, and other applications.

Once the trojan infects its host machine, it communicates with its command and control (C&C) server, the user agent string and URI of which are hard-coded into MyAgent‘s binary. Also, FireEye noticed the malware loading different DLLs to communicate with its C&C server. Despite MyAgent‘s relatively high detection rate, its dynamic intermediary stages place it among what FireEye considers advanced malware. JavaScript within the PDF variety of MyAgent determines which version of Adobe Reader is running on its host and then deploys well-known exploits tailored to the specific version. If the machine is running any of Reader 9.0‘s predecessors, then MyAgent exploits the ―Collab.getIcon()‖ vulnerability.

Full Story:
http://threatpost.com/en_us/blogs/email-trojan-tageting-defense-aerospace-and-other-industries-081612

Add your Comment

Total Petition Signatures

  • Occupy Email: 11

Occupy Facebook

Recent Comments

    Email Polls

    What's wrong with Email?

    View Results

    Loading ... Loading ...