What has the makings of a targeted attack campaign against several high-value industries is using a Trojan that employs rigged PDFs to deliver its payload. Targeting organizations in the defense, chemical, technology, and aerospace industries, the MyAgent trojan is primarily spreading through email as a zipped .exe file or PDF attachment, according to researchers at the FireEye Malware Intelligence Lab.
FireEye examined a sample of MyAgent that, once executed, opens a PDF file titled ‘Health Insurance and Welfare Policy’ and then drops a second executable, deviously titled ‘ABODE32.exe,’ in the temp directory, they say in their report.
FireEye notes that the ‘ABODE32.exe’ executable accesses Windows Protected Storage, which holds the passwords for IE, Outlook, and other applications.
Once the trojan has infected its host machine, it communicates with its command and control server, the user agent string and URI of which are hard-coded into MyAgent’s binary. In addition to this, FireEye has noticed the malware loading different DLLs to communicate with its C&C. Despite MyAgent’s relatively high detection rate, its dynamic intermediary stages place it among what FireEye considers advanced malware.
JavaScript within the PDF variety of MyAgent determines which version of Adobe Reader is running on its host and then deploys well-known exploits tailored to the specific version. If the machine is running any of Reader 9.0’s predecessors, then MyAgent exploits the ‘Collab.getIcon()’ vulnerability.
The majority of MyAgent’s payloads are easily detected by up-to-date antivirus products.