14 DAY TRIAL // Security researchers have been monitoring the activities of a piece of malware identified as Trojan.MyAgent. Based on their analysis, they’ve determined that its main targets are organizations from the defense, chemicals, technology and aerospace industries.
According to FireEye experts, the threat is spread via email as an attachment. In one of the samples they discovered, MyAgent came as an exe file which opened up a PDF document entitled “Health Insurance and Welfare Policy.”
Besides this decoy document, a file called ABODE32.exe was also dropped in the operating system’s Temp directory.
ABODE32.exe is designed to access Windows Protected Storage that contains various user passwords, including ones from Outlook and Internet Explorer. The component also accesses the Credentials Store, which also holds sensitive details.
Then, it attempts to connect to a command and control server whose details are hard coded inside the binaries.
“The PDF version of the dropper uses fairly well known exploits. The JavaScript inside of the PDF checks the Adobe Reader version and launches the appropriate exploits. If the Reader version is less than 9.0, then it exploits the Collab.getIcon() vulnerability,” Vinay Pidathala of FireEye explained.
Fortunately, at the time when this article was written, most antivirus solutions had no trouble identifying both the dropper and the malicious exe file as posing a threat.
On the other hand, MyAgent is an advanced piece of malware that possesses the capability of changing the way in which its payload is installed and there are some binaries that remain undetected by many security vendors.
This is why we recommend users to ensure that their security products are up-to-date. Also, we advise internauts to keep an eye out for any suspicious PDF documents that may be attached to unsolicited emails.