ESET researchers have uncovered a piece of malicious code dubbed Malware Agent.PYO, which has been busy targeting Polish diplomatic mission in Belarus in the last couple of weeks.
The cyber-criminals were capable of building a botnet that fill out forms for Visa applicants at Polish consulateS in Belarus automatically. The Downloader component of MSIL/Agent.PYO was distributed to computers located in Belarus using the Nuclear Exploit Kit. Statistics for the redirection chain shows that more than 200,000 computers were redirected to the exploit kit in about six days. What’s more, the botnet that was uncovered itself networked almost one thousand computers. ESET has provided the information on this incident to both Polish and Belarussian branches of Computer Emergency readiness Team (CERT).
Belarusians who wish to obtain a visa need to fill out a form to schedule an appointment at the consulate. The form needs to be filed on specific dates (for example, the applications for January 2015 were scheduled for December 20th and 21st) and the number of available appointments is very limited. According to multiple forum threads those appointments are quite difficult to obtain, so some people resorted to writing scripts to automate the process, reducing even more the odds of obtaining an appointment by filling out the form manually. To defeat those bots, the consulate added CAPTCHAs to their website and limited connections to the server to IPs in Poland and Belarus only.
Read more at ESET Ireland’s blog