Russian Hackers disguise Kelihos bot as Anti-Government Software

Russian Hackers are spreading the Kelihos Trojan leading victims into believing that it is a software to hit Western Governments.

Kelihos botnet is still active and exploited by the cybercrime ecosystem to monetize its effort as discovered by security experts at Bitdefender. Cyber criminals have a single purpose, to earn money by any means, for this reason it is not surprising that Russian hackers are riding the interest on the conflict in Ukraine to serve malware via links found in spam emails purporting to support the Russian cause.

“We, a group of hackers from the Russian Federation, are worried about the unreasonable sanctions that Western states imposed against our country,” “We have coded our answer and bellow you will find the link to our program. Run the application on your computer, and it will secretly begin to attack government agencies of the states that have adopted those sanctions.” the malicious spam messages read.

The criminal gang behind the last wave of attacks are tricking victims proposing a software by pretending it was designed to attack online resources belonging to US and Western governments, instead it is the Hlux data stealing trojan used to recruit new machine for the malicious Kelihos botnet.

The Kelihos botnet was discovered for the first time in 2010 and at least three versions were discovered by security firm in these years.

Originally used for spam, phishing  and DDoS attack, the last version has several capabilities, including communicating with infected computers, data stealing (including  FTP and email credentials), stealing bitcoin wallets and sending spam emails.

Kelihos bots are able to provide attackers full control of victims, the malicious code could download and execute further payloads and monitor traffic for FTP, POP3 and SMTP protocols.

Hlux trojan drops three clean files, npf_sys, packet_dll and wpcap_dll, used by attackers to monitor traffic. The experts discovered the malicious campaign during the investigation on one of the recent spam waves.

“We analyzed one of the recent malicious spam waves and noticed that all the .eml files lead to setup.exe URLs, with 49 unique IPs,” Bitdefender Virus Analyst Doina Cosovan explained.

Track the Kelihos botnet is not so simple because it a peer-to-peer botnet, experts started from a collection of infected machines to try to track the map of overall malicious infrastructure.

“To find out the size and distribution of the computers infected during this campaign, we relied on the fact that Kelihos uses P2P. Starting from the 49 distinct IPs, we obtained the list of domains associated to each IP address. For each resulting domain, we obtained the list of corresponding IPs. In the end, we obtained 25.680.758 IP addresses, of which only 55.981 were unique.” 

Surprisingly enough, the experts discovered that over 40 percent of the infected machine was located in Ukraine.

 

 

“This can either be an anti-Russian diversion crafted by Ukrainian cyberwar ‘soldiers’ or, more likely, a sign that many of the infected machines belong to Ukraine and now unwillingly distribute the malware.”  said Bianca Stanescu, a security analyst at Bitdefender

The malware is distributed on a global scale and used to serve further malware, more than 500 infected IPs were detected in US.

Pierluigi Paganini

(Security Affairs – Kelihos botnet, cybercrime)