Full Report
ESET's researchers recently encountered a piece of malware targeting the filling of the forms belonging to the Consulate of Poland. To understand why it is first necessary to have a brief look at the application process for visas.
Analysis Summary
# Tool/Technique: MSIL/Agent.PYO
## Overview
MSIL/Agent.PYO is a piece of malware designed for the specific purpose of automating the filling out of visa application forms for the Consulate of Poland, likely targeting individuals trying to secure limited appointment slots. It operates as a sophisticated botnet.
## Technical Details
- Type: Malware family (Botnet component)
- Platform: Windows (Implied, due to .NET compilation and analysis tools)
- Capabilities: Form filling automation, modular structure (downloader, updater, main client), C&C communication via WCF.
- First Seen: January 2015 (Based on the article's publication date and related activity observation).
## MITRE ATT&CK Mapping
*Note: Specific technique mapping is inferred based on the malware's description (downloading, C2 communication, remote execution).*
- T1190 - Exploit Public-Facing Application
- T1190.001 - Exploit Web Application
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Used for communication with C&C)
- T1566 - Phishing/Delivery
- T1566.001 - Spearphishing Attachment (Delivery via Exploit Kit redirection implies a compromise pathway)
- T1059 - Command and Scripting Interpreter (Automating form submission implies execution of commands/scripts)
- T1059.005 - Visual Basic (If .NET is involved, though C#/.NET usage is specified)
## Functionality
### Core Capabilities
- Targeted execution against specific web forms related to the Polish Consulate visa application process.
- Components include a downloader (written in C# and C++ versions found), an updater, and the main 'Konsulat.RemoteClient'.
- The main executable is obfuscated using .NET Reactor.
### Advanced Features
- Communication with Command and Control (C&C) servers utilizes Windows Communication Foundation (WCF).
- The botnet involved rapid version updates leading up to and following the registration dates.
- The botnet was specifically targeted geographically, initially set to infect or operate only on machines with Polish or Belarusian IP addresses, although the samples were distributed primarily in Belarus via an exploit kit.
## Indicators of Compromise
- File Hashes:
- SHA1: `01baf70db10c506a5ff7629a4a8a30416835769f` (Downloader - Win32/TrojanDownloader.Agent.AZM)
- SHA1: `3a63b784b900688e55b8925cbead856f62535ada` (Downloader - MSIL/Agent.PYO)
- SHA1: `80e49d21e314e17c8d99230444f77820c67318cb` (Updater - MSIL/Agent.PYO)
- SHA1: `254e1ceaa44ce19570a6d4b0812d3b6081a48782` (RemoteClient - MSIL/Agent.PYO)
- File Names: ‘Konsulat.RemoteClient’ (internal name)
- Registry Keys: [Not specified in the text]
- Network Indicators:
- C&C Endpoint 1: `net.tcp://37.28.153.162:26900/control`
- C&C Endpoint 2: `net.tcp://37.28.153.162:26900/log`
- C&C Endpoint 3: `http://37.28.153.162:7425/`
- Behavioral Indicators: Attempting to interact with the specific login/registration interfaces on the Polish Consulate website (`by.e-konsulat.gov.pl`).
## Associated Threat Actors
- Unspecified malware developer/operator focusing on exploiting visa appointment scarcity.
## Detection Methods
- Signature-based detection: Specific detection names assigned by ESET (e.g., `Win32/TrojanDownloader.Agent.AZM`, `MSIL/Agent.PYO`).
- Behavioral detection: Monitoring for activity designed to rapidly fill out web forms or unusual network protocols originating from compromised hosts, especially those restricted by IP location checks.
- YARA rules: [Not specified in the text, but decompilation analysis of the .NET structure could yield rules.]
## Mitigation Strategies
- Network Access Control: Limiting access to sensitive portals based on geography (as implemented by the consulate, limiting to Poland and Belarus IPs).
- Exploit Kit Mitigation: Ensuring systems are patched against vulnerabilities exploited by the Nuclear Exploit Kit.
- Anti-Malware Protection: Deploying modern endpoint protection capable of detecting .NET obfuscation and behavior associated with automated form submission.
## Related Tools/Techniques
- Nuclear Exploit Kit (Used for initial delivery of the downloader component).
- Automated web form submission scripts/bots (This malware functions as a purpose-built botnet version of such scripts).