Cyber attack using PDFs targets industries
A new kind of targeted cyber attack against defense, chemical and technology industries is slipping into networks under the guise of PDF files, said cyber security experts.
FireEye Malware Intelligence Lab and Kaspersky Labs noted on Aug. 15 that the new malware has the makings of a targeted attack campaign against several high-value industries, including the defense, chemical, technology and aerospace industries that uses a Trojan program rigged to PDFs to deliver its payload. The MyAgent Trojan is primarily spreading through email as a zipped .exe file or PDF attachment, according to researchers writing on FireEye’s blog site.
FireEye researchers said they had been tracking malware they called “Trojan.MyAgent” for some time. The malware is currently using email as its primary vector of propagation, they said and that data FireEye’s Malware Protection Cloud (MPC), indicated it was targeting the industries
“We have seen different versions of this malware arriving as an exe inside a zipped file or as a PDF attachment,” said the researchers. The emails are disguised as PDF files that have been labeled “Health Insurance and Welfare Policy,” in some instances. Once the file is opened, the malware is unleashed, it said. In addition to opening up a PDF file, the malware can also drop another executable called ABODE32.exe in the temp directory. The typo in ABODE32 is intentional, they said. Both the dropper and the dropped executables have decent detection on VirusTotal (VT).
FireEye noted the ‘ABODE32.exe’ executable accesses Windows Protected Storage, which holds the passwords for IE, Outlook, and other applications.
Once it gets a foothold on the infected system, the malware connects back to its command and control server, said the group, the user agent string and URI of which are hard-coded into MyAgent’s binary. In addition to this, FireEye said it noticed the malware loading different DLLs to communicate with its command and control. Despite MyAgent’s relatively high detection rate, said FireEye, its dynamic intermediary stages put the malware in the “advanced” category.