MSIL / Agent.PYO Analysis
Our analysts have discovered an interesting example of a malicious program that specializes in filling out forms for a web page belonging to the website of the Polish consulate in Belarus. The website contains a special section on filling in the data for obtaining a visa, more precisely, on filling in the data for inviting you to a meeting or an interview with the consulate. The attackers thought to write a C # malware program that would perform this data filling process automatically.
The malware was added by our analysts to the database as MSIL / Agent.PYO . It is a multicomponent malware: a downloader (we found several of its versions, one was written in C #, the other in C ++), an updater and a main component called “Konsulat.RemoteClient”.
')
The MSIL / Agent.PYO executable file is obfuscated using the .NET Reactor , however, it incorporates modules presented in the normal form (without obfuscation).
Those modules that are not obfuscated can be simply decompiled using JustDecompile , dotpeek or ILSpy tools . With them, you can recreate the source code, almost identical to the original.
The malware is divided into several modules.
The code responsible for interacting with a remote C & C server was made using the WCF ( Windows Communication Foundation ) development environment, which is also used to develop web services. The main executable file contains the following commands for working with C & C.
The fact is that Belarusians who want to get a visa must fill out a special form on the website, which was mentioned above. This form is used to schedule a meeting at the consulate. The form itself must be completed (filed) within a certain time frame (for example, to receive a visa in January, the form must be filled on December 20th and 21st). After submitting the required documents, the person who submitted the application will be summoned for an interview or meeting. But, as indicated in numerous thematic forums, the number of such meetings is limited, so there is competition. In order to secure a favorable position and increase the likelihood of getting into an interview, some individuals resort to using special web scripts that can fill in information automatically to submit it to the embassy.
Four days before the opening of the registration of visas on the consulate’s website, the MSIL / Agent.PYO downloader began to be distributed by attackers using the Nuclear Exploit Kit and was aimed specifically at computers that are located in Belarus. Statistics on the shortened bit.ly links that were used to redirect users shows that 200 thousand users were redirected to malicious content within six days. To defeat such “bots”, the website of the consulate added a special CAPTCHA mechanism and limited the number of active connections to the server for IP addresses belonging to Poland and Belarus.
As expected, on December 20th and 21st, bots began to receive commands to fill out visa application forms. During this time, attackers released an update for a malicious program several times.
Monitoring the botnet’s activities showed that it contained about 300 computers. Almost all of them are located in Belarus. In addition, for five weeks, 925 computers were recorded, which participated in the botnet. The information we collected was transferred to the rapid response centers to the threats of CERT-PL and CERT-BY, which are located in Poland and Belarus.
The malware was added by our analysts to the database as MSIL / Agent.PYO . It is a multicomponent malware: a downloader (we found several of its versions, one was written in C #, the other in C ++), an updater and a main component called “Konsulat.RemoteClient”.
')
The MSIL / Agent.PYO executable file is obfuscated using the .NET Reactor , however, it incorporates modules presented in the normal form (without obfuscation).
Those modules that are not obfuscated can be simply decompiled using JustDecompile , dotpeek or ILSpy tools . With them, you can recreate the source code, almost identical to the original.
The malware is divided into several modules.
The code responsible for interacting with a remote C & C server was made using the WCF ( Windows Communication Foundation ) development environment, which is also used to develop web services. The main executable file contains the following commands for working with C & C.
The fact is that Belarusians who want to get a visa must fill out a special form on the website, which was mentioned above. This form is used to schedule a meeting at the consulate. The form itself must be completed (filed) within a certain time frame (for example, to receive a visa in January, the form must be filled on December 20th and 21st). After submitting the required documents, the person who submitted the application will be summoned for an interview or meeting. But, as indicated in numerous thematic forums, the number of such meetings is limited, so there is competition. In order to secure a favorable position and increase the likelihood of getting into an interview, some individuals resort to using special web scripts that can fill in information automatically to submit it to the embassy.
Four days before the opening of the registration of visas on the consulate’s website, the MSIL / Agent.PYO downloader began to be distributed by attackers using the Nuclear Exploit Kit and was aimed specifically at computers that are located in Belarus. Statistics on the shortened bit.ly links that were used to redirect users shows that 200 thousand users were redirected to malicious content within six days. To defeat such “bots”, the website of the consulate added a special CAPTCHA mechanism and limited the number of active connections to the server for IP addresses belonging to Poland and Belarus.
As expected, on December 20th and 21st, bots began to receive commands to fill out visa application forms. During this time, attackers released an update for a malicious program several times.
Monitoring the botnet’s activities showed that it contained about 300 computers. Almost all of them are located in Belarus. In addition, for five weeks, 925 computers were recorded, which participated in the botnet. The information we collected was transferred to the rapid response centers to the threats of CERT-PL and CERT-BY, which are located in Poland and Belarus.
Source: https://habr.com/ru/post/249311/
All Articles