Blog

Tracking Email Malware Trojan.MyAgent

At FireEye we have been tracking a particular piece of malware we call Trojan.MyAgent for some time now. The malware is currently using email as its primary vector of propagation. From looking at the data in the FireEye Malware Protection Cloud (MPC), we can see that the malware is currently targeting the following industries:

  • Defense
  • Chemicals
  • Technology
  • Aerospace


We have seen different versions of this malware arriving as an exe inside a zipped file or as a PDF attachment. In this particular sample, the exe once executed opens up a PDF file called “Health Insurance and Welfare Policy.” In addition to opening up a PDF file, the initial exe also drops another executable called ABODE32.exe (notice the typo) in the temp directory. Both the dropper and the dropped executables have decent detection on VirusTotal (VT). Here are the detection links to both the binaries.

https://www.virustotal.com/file/dc79b2943ad797e39ea3830ada7dc33051b5c8c048653ed61e1ebdb8a0098f7d/analysis/ - Dropped (ABODE32.exe)

https://www.virustotal.com/file/d4d2814fbe94baca085392e44a5340370cf66738addb3f27860a2b539b148b41/analysis/ - Dropper

This is the PDF document that the executable opens:

Historical1

The dropped executable (ABODE32.exe) is seen accessing Windows Protected Storage and the Credentials Store. The Windows Protected Storage stores IE, Outlook, and other passwords.

Pstorec1

 

CredEnum1

Once it gets a foothold on the infected system, the malware connects back to its command and control server. In the samples we have observed the user agent string and the URI to which it calls back is hard coded inside of the binary. However we have seen different binaries use different user agents and URIs. The GET request of the malware looks like the request in the picture below.

Myagent

As mentioned above, we have seen the malware get delivered as different files via email. The PDF version of the dropper uses fairly well known exploits. The JavaScript inside of the PDF checks the Adobe Reader version and launches the appropriate exploits. If the Reader version is less than 9.0, then it exploits the Collab.getIcon() vulnerability. Below is a small snippet of the how the JavaScript exploit looks.

Myagent_js

Most of the binaries we observed have fairly good detections barring a few that have only two out of 42 AV vendors detecting them on VirusTotal. Here are the VT links for the binaries that are not very well detected.

https://www.virustotal.com/file/96f825b4c9ccb85356b06fac8e0d94149e9a7ae5c61036fa6196461b05b1aa5a/analysis/ – ß dropper

https://www.virustotal.com/file/c57aa919196c547a0f1d9008f8d918678e3253932f1c0f134f0a0531e8f1b2bc/analysis/ – ß dropped

We have also observed versions of this malware loading other DLLs responsible for communicating with the command and control server. Despite the decent detection of some samples of this malware, the constant changes it makes to its intermediary stages to install the actual payload, puts it into the category of advanced malware.

One thought on “Tracking Email Malware Trojan.MyAgent

  1. Can you provide some feedback on what Versions of Adobe Reader and Acrobat are affected by these infected PDFs? You do have a mention of versions prior to 9.0 using one attack method, however do the patches released in August 2012 fix the vulnerabilities exploited?

Comments are closed.