FireEye Security experts are analyzing a targeted trojan that leverages emailed PDF files to gain access to systems and deliver its payload to specified networks in the aerospace, chemical, defense and tech industries.
"We have seen different versions of this malware arriving as an exe inside a zipped file or as a PDF attachment. In this particular sample, the exe once executed opens up a PDF file called "Health Insurance and Welfare Policy." In addition to opening up a PDF file, the initial exe also drops another executable called ABODE32.exe (notice the typo) in the temp directory."
The malware also uses JavaScript to assess which version of Adobe Reader is currently running on the host machine,and then executes attacks based on known vulnerabilities in the discovered version. Once the trojan has infected its host machine, it communicates with its command and control server, the user agent string and URI of which are hard-coded into MyAgent’s binary.
FireEye reports that most of the payloads are detected by updated antivirus software, based on research executed by running the binaries through VirusTotal.
"We have seen different versions of this malware arriving as an exe inside a zipped file or as a PDF attachment. In this particular sample, the exe once executed opens up a PDF file called "Health Insurance and Welfare Policy." In addition to opening up a PDF file, the initial exe also drops another executable called ABODE32.exe (notice the typo) in the temp directory."
Resized to 95% (was 1015 x 512) - Click image to enlarge
The malware also uses JavaScript to assess which version of Adobe Reader is currently running on the host machine,and then executes attacks based on known vulnerabilities in the discovered version. Once the trojan has infected its host machine, it communicates with its command and control server, the user agent string and URI of which are hard-coded into MyAgent’s binary.
FireEye reports that most of the payloads are detected by updated antivirus software, based on research executed by running the binaries through VirusTotal.
Source: Forum - NETASQ India
No comments:
Post a Comment