Hackers prey on Russian patriotism to grow the Kelihos botnet

A recent spam campaign encouraged Russian speakers to install malware on their computers to participate in DDoS attacks, researchers said

The cybercriminal gang behind the Kelihos botnet is tricking users into installing malware on their computers by appealing to pro-Russian sentiments stoked by recent international sanctions against the country.

Researchers from security firms Websense and Bitdefender have independently observed a new spam campaign that encourages Russian-speakers to volunteer their computers for use in distributed denial-of-service (DDoS) attacks against the websites of governments that imposed sanctions on Russia for its involvement in the conflict in eastern Ukraine.

"We, a group of hackers from the Russian Federation, are worried about the unreasonable sanctions that Western states imposed against our country," the spam emails read, according to a translation by Bitdefender researchers. "We have coded our answer and below you will find the link to our program. Run the application on your computer, and it will secretly begin to attack government agencies of the states that have adopted those sanctions."

The links in the email messages point to a version of the Trojan program used in the Kelihos, or Hlux, botnet, security researchers from Websense said Friday in a blog post. This four-year-old botnet has been associated over time with various malicious activities including sending spam; stealing passwords from browsers, FTP clients and other programs; stealing and mining Bitcoins; providing backdoor access to computers and launching DDoS attacks, they said.

Despite the DDoS functionality in some Kelihos malware variants, this new invitation to volunteer computers for attacks against Western government websites is just a ruse to get more systems infected, according to Bogdan Botezatu, a senior e-threat analyst at Bitdefender.

"By giving victims a purpose and allegedly empowering them to be part of the war from the safety of their home, attackers improve their chances to harvest computers that will eventually be used for other tasks," Botezatu said Tuesday via email. "The Kelihos botnet operators have just one end-goal: monetizing the infected machines."

This is also suggested by the presence of three files in the malware program distributed by the spam campaign that can be used to intercept and monitor local network traffic, which has nothing to do with DDoS attacks. Those files, called npf_sys, packet_dll and wpcap_dll, are actually part of a legitimate application called WinPcap and are digitally signed.

"Kelihos relies on these files to inherit network monitoring functionality, a feature that otherwise would have to be developed inhouse," Botezatu said. "Sometimes cybercriminals reuse publicly known and widespread libraries to achieve some of these functionalities because these libraries have been extensively tested (they are less likely to crash) and they also are known by the security industry, so they don't run the risk of getting deleted."

Botezatu believes that this latest trick by the Kelihos gang could have a high rate of success, especially since some DDoS attacks launched by hacktivist groups like Anonymous in the past did actually involve volunteers downloading and installing specialized programs on their computers. Such volunteer-based attacks were also organized in Russia in 2008 during the Russo-Georgian conflict, according to reports at the time.

"This approach not only maximizes the number of potential victims, but also allows hackers to geographically pick the targets among the countries that are more likely to respond to such a call: Russian and Ukrainian citizens that are somewhat affected by sanctions," Botezatu said.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityscamsspywaremalwarebitdefenderwebsense

More about Websense

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place