MSIL / Agent.PYO Analysis

    Our analysts found an interesting example of a malicious program that specializes in filling out forms of a web page owned by the website of the Polish Consulate in Belarus. The website contains a special section on filling in the data for obtaining a visa, more precisely, on filling out the data for an invitation to a meeting or interview at a consulate. It occurred to the attackers to write a malicious program in C # that would perform this process of filling data in automatic mode.

    The malware was added by our analysts to the database as MSIL / Agent.PYO . It is a multi-component malware: a downloader (we discovered several versions of it, one was written in C #, the other in C ++), an updater and the main component called “Konsulat.RemoteClient”.

    The MSIL / Agent.PYO executable is obfuscated using .NET Reactor , however, it incorporates modules presented in their normal form (without obfuscation).

    Those modules that are not obfuscated can be simply decompiled with JustDecompile , dotpeek, or ILSpy . Using them, you can recreate the source code, almost identical to the original.

    The malware is divided into several modules.

    The code responsible for interacting with the remote C & C server is executed using the WCF ( Windows Communication Foundation ) development environment), which is also used to develop web services. The main executable file contains the following C&C commands.

    The fact is that Belarusians who want to get a visa need to fill out a special form on the site, which was mentioned above. This form is used to make an appointment at the consulate. The form itself must be completed (filed) on time (for example, to obtain a visa in January, the form must be completed on December 20th and 21st). After providing the necessary documents, the person who filed the application will be called for an interview or meeting. But, as indicated on numerous thematic forums, the number of such meetings is limited, so there is competition. In order to secure a favorable position and increase the likelihood of getting an interview, some people resort to using special web scriptswho can fill out the information automatically for submission to the embassy.

    Four days before the visa registration was opened on the consulate’s website, the MSIL / Agent.PYO downloader began to be distributed by cybercriminals using the Nuclear Exploit Kit and was aimed specifically at computers located in Belarus. Statistics on shortened links that were used to redirect users showed that 200 thousand users were redirected to malicious content within six days. To defeat such bots, the consulate’s website added a special CAPTCHA mechanism and limited the number of active server connections for IP addresses belonging to Poland and Belarus.

    As expected, on December 20th and 21st, bots began to receive commands to fill out visa application forms. During this time, the attackers several times released an update for the malicious program.

    Tracking botnet activity has shown that it contains about 300 computers. Almost all of them are located in Belarus. In addition, over five weeks, 925 computers that participated in the botnet were recorded. The information we collected was transmitted to the CERT-PL and CERT-BY threat response centers located in Poland and Belarus.

    Also popular now: