Menu
Hackers prey on Russian patriotism to grow the Kelihos botnet

Hackers prey on Russian patriotism to grow the Kelihos botnet

A recent spam campaign encouraged Russian speakers to install malware on their computers to participate in DDoS attacks, researchers said

The cybercriminal gang behind the Kelihos botnet is tricking users into installing malware on their computers by appealing to pro-Russian sentiments stoked by recent international sanctions against the country.

Researchers from security firms Websense and Bitdefender have independently observed a new spam campaign that encourages Russian-speakers to volunteer their computers for use in distributed denial-of-service (DDoS) attacks against the websites of governments that imposed sanctions on Russia for its involvement in the conflict in eastern Ukraine.

"We, a group of hackers from the Russian Federation, are worried about the unreasonable sanctions that Western states imposed against our country," the spam emails read, according to a translation by Bitdefender researchers. "We have coded our answer and below you will find the link to our program. Run the application on your computer, and it will secretly begin to attack government agencies of the states that have adopted those sanctions."

The links in the email messages point to a version of the Trojan program used in the Kelihos, or Hlux, botnet, security researchers from Websense said Friday in a blog post. This four-year-old botnet has been associated over time with various malicious activities including sending spam; stealing passwords from browsers, FTP clients and other programs; stealing and mining Bitcoins; providing backdoor access to computers and launching DDoS attacks, they said.

Despite the DDoS functionality in some Kelihos malware variants, this new invitation to volunteer computers for attacks against Western government websites is just a ruse to get more systems infected, according to Bogdan Botezatu, a senior e-threat analyst at Bitdefender.

"By giving victims a purpose and allegedly empowering them to be part of the war from the safety of their home, attackers improve their chances to harvest computers that will eventually be used for other tasks," Botezatu said Tuesday via email. "The Kelihos botnet operators have just one end-goal: monetizing the infected machines."

This is also suggested by the presence of three files in the malware program distributed by the spam campaign that can be used to intercept and monitor local network traffic, which has nothing to do with DDoS attacks. Those files, called npf_sys, packet_dll and wpcap_dll, are actually part of a legitimate application called WinPcap and are digitally signed.

"Kelihos relies on these files to inherit network monitoring functionality, a feature that otherwise would have to be developed inhouse," Botezatu said. "Sometimes cybercriminals reuse publicly known and widespread libraries to achieve some of these functionalities because these libraries have been extensively tested (they are less likely to crash) and they also are known by the security industry, so they don't run the risk of getting deleted."

Botezatu believes that this latest trick by the Kelihos gang could have a high rate of success, especially since some DDoS attacks launched by hacktivist groups like Anonymous in the past did actually involve volunteers downloading and installing specialized programs on their computers. Such volunteer-based attacks were also organized in Russia in 2008 during the Russo-Georgian conflict, according to reports at the time.

"This approach not only maximizes the number of potential victims, but also allows hackers to geographically pick the targets among the countries that are more likely to respond to such a call: Russian and Ukrainian citizens that are somewhat affected by sanctions," Botezatu said.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags securityscamsspywaremalwarebitdefenderwebsense

Slideshows

Top 50 defining moments of the New Zealand channel in 2016

Top 50 defining moments of the New Zealand channel in 2016

Reseller News looks back on a tumultuous 12 months for the New Zealand channel, assessing the fallout from a year of sizeable industry change. Whether it be local or global mergers and acquisitions, distribution deals or job changes, the channel that started the year differs somewhat to the one set to finish it - Reseller News assesses the key moments that made 2016.​

Top 50 defining moments of the New Zealand channel in 2016
​Hewlett Packard Enterprise honours high achieving NZ channel

​Hewlett Packard Enterprise honours high achieving NZ channel

Hewlett Packard Enterprise honoured its top performing Kiwi partners at the second running of its HPE Partner Awards in New Zealand, held at a glitzy ceremony in Auckland. Recognising excellence across eight categories - from distributors to resellers - the tech giant celebrated its first year as a standalone company, following its official split from HP in 2015.

​Hewlett Packard Enterprise honours high achieving NZ channel
Nutanix treats channel partners to Christmas cruise

Nutanix treats channel partners to Christmas cruise

Nutanix recently took to the seas for a Christmas Cruise around Sydney Harbour with its Australia and New Zealand staff, customers and partners to celebrate a stellar year for the vendor. With the sun out, they were all smiles and mingled over drinks and food.

Nutanix treats channel partners to Christmas cruise
Show Comments