Hackers prey on Russian patriotism to grow the Kelihos botnet

A recent spam campaign encouraged Russian speakers to install malware on their computers to participate in DDoS attacks, researchers said

The cybercriminal gang behind the Kelihos botnet is tricking users into installing malware on their computers by appealing to pro-Russian sentiments stoked by recent international sanctions against the country.

Researchers from security firms Websense and Bitdefender have independently observed a new spam campaign that encourages Russian-speakers to volunteer their computers for use in distributed denial-of-service (DDoS) attacks against the websites of governments that imposed sanctions on Russia for its involvement in the conflict in eastern Ukraine.

"We, a group of hackers from the Russian Federation, are worried about the unreasonable sanctions that Western states imposed against our country," the spam emails read, according to a translation by Bitdefender researchers. "We have coded our answer and below you will find the link to our program. Run the application on your computer, and it will secretly begin to attack government agencies of the states that have adopted those sanctions."

The links in the email messages point to a version of the Trojan program used in the Kelihos, or Hlux, botnet, security researchers from Websense said Friday in a blog post. This four-year-old botnet has been associated over time with various malicious activities including sending spam; stealing passwords from browsers, FTP clients and other programs; stealing and mining Bitcoins; providing backdoor access to computers and launching DDoS attacks, they said.

Despite the DDoS functionality in some Kelihos malware variants, this new invitation to volunteer computers for attacks against Western government websites is just a ruse to get more systems infected, according to Bogdan Botezatu, a senior e-threat analyst at Bitdefender.

"By giving victims a purpose and allegedly empowering them to be part of the war from the safety of their home, attackers improve their chances to harvest computers that will eventually be used for other tasks," Botezatu said Tuesday via email. "The Kelihos botnet operators have just one end-goal: monetizing the infected machines."

This is also suggested by the presence of three files in the malware program distributed by the spam campaign that can be used to intercept and monitor local network traffic, which has nothing to do with DDoS attacks. Those files, called npf_sys, packet_dll and wpcap_dll, are actually part of a legitimate application called WinPcap and are digitally signed.

"Kelihos relies on these files to inherit network monitoring functionality, a feature that otherwise would have to be developed inhouse," Botezatu said. "Sometimes cybercriminals reuse publicly known and widespread libraries to achieve some of these functionalities because these libraries have been extensively tested (they are less likely to crash) and they also are known by the security industry, so they don't run the risk of getting deleted."

Botezatu believes that this latest trick by the Kelihos gang could have a high rate of success, especially since some DDoS attacks launched by hacktivist groups like Anonymous in the past did actually involve volunteers downloading and installing specialized programs on their computers. Such volunteer-based attacks were also organized in Russia in 2008 during the Russo-Georgian conflict, according to reports at the time.

"This approach not only maximizes the number of potential victims, but also allows hackers to geographically pick the targets among the countries that are more likely to respond to such a call: Russian and Ukrainian citizens that are somewhat affected by sanctions," Botezatu said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securityscamsspywaremalwarebitdefenderwebsense

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?