At FireEye we have been tracking a particular piece of malware we call Trojan.MyAgent for some time now. The malware is currently using email as its primary vector of propagation. From looking at the data in the FireEye Malware Protection Cloud (MPC), we can see that the malware is currently targeting the following industries:
We have seen different versions of this malware arriving as an exe inside a zipped file or as a PDF attachment. In this particular sample, the exe once executed opens up a PDF file called “Health Insurance and Welfare Policy.” In addition to opening up a PDF file, the initial exe also drops another executable called ABODE32.exe (notice the typo) in the temp directory. Both the dropper and the dropped executables have decent detection on VirusTotal (VT). Here are the detection links to both the binaries.
This is the PDF document that the executable opens:
Once it gets a foothold on the infected system, the malware connects back to its command and control server. In the samples we have observed the user agent string and the URI to which it calls back is hard coded inside of the binary. However we have seen different binaries use different user agents and URIs. The GET request of the malware looks like the request in the picture below.
Most of the binaries we observed have fairly good detections barring a few that have only two out of 42 AV vendors detecting them on VirusTotal. Here are the VT links for the binaries that are not very well detected.
We have also observed versions of this malware loading other DLLs responsible for communicating with the command and control server. Despite the decent detection of some samples of this malware, the constant changes it makes to its intermediary stages to install the actual payload, puts it into the category of advanced malware.