MyAgent Trojan Targets Key Technology-Related Industries

According to researchers at the FireEye Malware Intelligence Lab, the MyAgent trojan masks its payload as a zipped health insurance policy, but then downloads a second file entitled, "ABODE32.exe," which may have had its name derived from PDF originator Adobe’s, into the temp directory. The executable then accesses Windows Protected Storage where passwords for Internet Explorer, Outlook and additional applications are kept, and it begins uploading data to command-and-control servers. Symptoms of infection include the loading of various DLLs, which are believed to be used to support communication with C&C servers.

The malware also uses JavaScript to assess which version of Adobe Reader is currently running on the host machine, and then executes attacks based on known vulnerabilities in the discovered version.

[Related: How To Tackle Thorny IT Security Issues ]

FireEye reports that most of the payloads are detected by updated antivirus software, based on research executed by running the binaries through VirusTotal. Despite the favorable detection rate, FireEye classifies the MyAgent Trojan as advanced malware based on the constant changes that the Trojan makes to its intermediary stages in order to install the actual payload.

Channel partners serving the aerospace, chemical, defense and technology industries are urged to insure that client antivirus packages are up to date. They are also urged to instruct clients to avoid zipped PDF files entitled "Health Insurance and Welfare Policy" and to be on the lookout for the arrival of suspicious DLLs.

PUBLISHED AUG. 16, 2012