Cyber attack using PDFs targets industries
A new kind of targeted cyber attack against defense, chemical and technology industries is slipping into networks under the guise of PDF files, said cyber security experts.
FireEye Malware Intelligence Lab and Kaspersky Labs noted on Aug. 15 that the new malware has the makings of a targeted attack campaign against several high-value industries, including the defense, chemical, technology and aerospace industries that uses a Trojan program rigged to PDFs to deliver its payload. The MyAgent Trojan is primarily spreading through email as a zipped .exe file or PDF attachment, according to researchers writing on FireEye’s blog site.
FireEye researchers said they had been tracking malware they called “Trojan.MyAgent” for some time. The malware is currently using email as its primary vector of propagation, they said and that data FireEye’s Malware Protection Cloud (MPC), indicated it was targeting the industries
“We have seen different versions of this malware arriving as an exe inside a zipped file or as a PDF attachment,” said the researchers. The emails are disguised as PDF files that have been labeled “Health Insurance and Welfare Policy,” in some instances. Once the file is opened, the malware is unleashed, it said. In addition to opening up a PDF file, the malware can also drop another executable called ABODE32.exe in the temp directory. The typo in ABODE32 is intentional, they said. Both the dropper and the dropped executables have decent detection on VirusTotal (VT).
FireEye noted the ‘ABODE32.exe’ executable accesses Windows Protected Storage, which holds the passwords for IE, Outlook, and other applications.
Once it gets a foothold on the infected system, the malware connects back to its command and control server, said the group, the user agent string and URI of which are hard-coded into MyAgent’s binary. In addition to this, FireEye said it noticed the malware loading different DLLs to communicate with its command and control. Despite MyAgent’s relatively high detection rate, said FireEye, its dynamic intermediary stages put the malware in the “advanced” category.
|Event Details||Dates of Event|
|SANS Counter Hack 2013||Nov 7 - 14|
|SANS Pen Test Hackfest 2013||Nov 7 - 14|
|SANS Korea 2013||Nov 11 - 16|
|Military Exports & Compliance Asia||Nov 12 - 14|
|NCT: Counter IED Asia, 12 - 15 November 2013, Bangkok||Nov 12 - 15|
|School Safety Symposium||Nov 13 - 13|
|Southwest Microwave Perimeter Defense Seminar||Nov 13 - 13|
|OWASP AppSec USA 2013||Nov 18 - 21|
|GovSec West Conference & Expo 2013||Nov 19 - 20|
|Southwest Microwave Perimeter Defense Seminar||Nov 19 - 19|
|Oracle 7th Annual Federal Forum||Nov 20 - 20|
|World BORDERPOL Congress||Dec 3 - 4|
|Critical Infrastructure Protection and Resilience Europe||Feb 12 - 13|