MUMBAI, India – February 4, 2015: ESET, researchers have uncovered a piece of malicious code dubbed Malware Agent.PYO, which has been busy targeting Polish diplomatic mission in Belarus in the last couple of weeks. The cyber-criminals were capable of building a botnet that fill out forms for some Visa applicants at a Polish consulate in Belarus automatically.
Downloader component of MSIL/Agent.PYO was distributed to computers located in Belarus using the Nuclear Exploit Kit. Statistics for the redirection chain shows that more than 200,000 computers were redirected to the exploit kit in about six days. What’s more, the botnet that was uncovered itself networked almost one thousand computers. ESET has provided the information on this incident to both Polish and Belarussian branches of Computer Emergency readiness Team (CERT).
“We understand that obtaining an appointment for the visa can be quite difficult at times and thus special online process is set up to have the appointment confirmed, ” says ESET researcher Sebastien Duquette adding: “Some people resorted to writing scripts to automate the process and apparently someone decided to go a step further and build a botnet specifically for the purpose of filling out the forms.”
MSIL/Agent.PYO was “inserted” into the system, and four days before the opening of the registrations its downloader component was being distributed − and only to computers located in Belarus. The fallout: more than 200,000 computers were redirected to the exploit kit in about 6 days. Over the course of 5 weeks, 925 different computers connected to the botnet.
“Surprisingly large number for a botnet with such a specific purpose,” comments Duquette.