Cybercriminals Use Patriotic Russians to Revive Kelihos Botnet

Saturday, August 30, 2014

Eduard Kovacs


Cybercriminals seem to be well aware that many Russian nationals are unhappy with the sanctions imposed by foreign governments against their country, so they're relying on them to revive the Kelihos (Waledac) botnet, Websense reported recently.

The security industry attempted to disrupt Kelihos (Waledac) twice in the past years, but the botmasters are not ready to give up. There wasn't much activity associated with the threat since May, but at the beginning of August researchers started seeing what could be attempts to revive and expand the botnet.

This campaign is interesting because the emails used to distribute Kelihos don't hide it from the recipients  that they're about to install malware on their computers. The messages appear to come from a Russian programmer community that wants to get back at the United States and other countries that have imposed sanctions on Russia due to its support for separatists fighting the Ukraine government.

The cybercriminals instruct potential victims to click on a link and install a program that allegedly launches attacks against the websites of the governments that imposed sanctions. Users are assured that the application runs silently and it doesn’t consume too many resources. In some cases, the attackers even ask users to disable their antiviruses.

Once it infects a computer, the malware attempts to steal passwords for various protocols. The main target is the Simple Mail Transfer Protocol (SMTP), which can be used by the attackers to send out the emails to others.

In a short period of time (August 20-21), Websense blocked more than 100,000 emails sent to people with .ru email addresses. The spam messages carry subject lines (written in Russian) such as "Are you a patriot?" "For patriots of Russia," "Help Russia," "Answer Europe" and "Answer the United States."

While the cybercriminals tell users that they can contribute to attacks against government websites, the Kelihos variants analyzed by the security firm are only designed for spamming and sniffing data – they don't include any distributed denial-of-service (DDoS) functionality. On the other hand, experts believe this could change.

"Since the dropper files change, it's not out of the question that a variant with DDoS capabilities would be used, but nonetheless, businesses should make sure they are protected against any such malware using comprehensive security solutions, both for inbound and outbound protection," Websense's Ran Mosessco wrote in a blog post.

Related ReadingHackers Target Russians With Kelihos Malware Using Anti-Western Anger as a Lure

Possibly Related Articles:
malware botnet Kelihos Waledac cybercrime
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked