Menu
Hackers prey on Russian patriotism to grow the Kelihos botnet

Hackers prey on Russian patriotism to grow the Kelihos botnet

A recent spam campaign encouraged Russian speakers to install malware on their computers to participate in DDoS attacks, researchers said

The cybercriminal gang behind the Kelihos botnet is tricking users into installing malware on their computers by appealing to pro-Russian sentiments stoked by recent international sanctions against the country.

Researchers from security firms Websense and Bitdefender have independently observed a new spam campaign that encourages Russian-speakers to volunteer their computers for use in distributed denial-of-service (DDoS) attacks against the websites of governments that imposed sanctions on Russia for its involvement in the conflict in eastern Ukraine.

"We, a group of hackers from the Russian Federation, are worried about the unreasonable sanctions that Western states imposed against our country," the spam emails read, according to a translation by Bitdefender researchers. "We have coded our answer and below you will find the link to our program. Run the application on your computer, and it will secretly begin to attack government agencies of the states that have adopted those sanctions."

The links in the email messages point to a version of the Trojan program used in the Kelihos, or Hlux, botnet, security researchers from Websense said Friday in a blog post. This four-year-old botnet has been associated over time with various malicious activities including sending spam; stealing passwords from browsers, FTP clients and other programs; stealing and mining Bitcoins; providing backdoor access to computers and launching DDoS attacks, they said.

Despite the DDoS functionality in some Kelihos malware variants, this new invitation to volunteer computers for attacks against Western government websites is just a ruse to get more systems infected, according to Bogdan Botezatu, a senior e-threat analyst at Bitdefender.

"By giving victims a purpose and allegedly empowering them to be part of the war from the safety of their home, attackers improve their chances to harvest computers that will eventually be used for other tasks," Botezatu said Tuesday via email. "The Kelihos botnet operators have just one end-goal: monetizing the infected machines."

This is also suggested by the presence of three files in the malware program distributed by the spam campaign that can be used to intercept and monitor local network traffic, which has nothing to do with DDoS attacks. Those files, called npf_sys, packet_dll and wpcap_dll, are actually part of a legitimate application called WinPcap and are digitally signed.

"Kelihos relies on these files to inherit network monitoring functionality, a feature that otherwise would have to be developed inhouse," Botezatu said. "Sometimes cybercriminals reuse publicly known and widespread libraries to achieve some of these functionalities because these libraries have been extensively tested (they are less likely to crash) and they also are known by the security industry, so they don't run the risk of getting deleted."

Botezatu believes that this latest trick by the Kelihos gang could have a high rate of success, especially since some DDoS attacks launched by hacktivist groups like Anonymous in the past did actually involve volunteers downloading and installing specialized programs on their computers. Such volunteer-based attacks were also organized in Russia in 2008 during the Russo-Georgian conflict, according to reports at the time.

"This approach not only maximizes the number of potential victims, but also allows hackers to geographically pick the targets among the countries that are more likely to respond to such a call: Russian and Ukrainian citizens that are somewhat affected by sanctions," Botezatu said.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags malwarescamsspywarewebsensebitdefender

Featured

Slideshows

The making of an MSSP: a blueprint for growth in NZ

The making of an MSSP: a blueprint for growth in NZ

Partners are actively building out security practices and services to match, yet remain challenged by a lack of guidance in the market. This exclusive Reseller News Roundtable - in association with Sophos - assessed the making of an MSSP, outlining the blueprint for growth and how partners can differentiate in New Zealand.

The making of an MSSP: a blueprint for growth in NZ
Reseller News Platinum Club celebrates leading partners in 2018

Reseller News Platinum Club celebrates leading partners in 2018

The leading players of the New Zealand channel came together to celebrate a year of achievement at the inaugural Reseller News Platinum Club lunch in Auckland. Following the Reseller News Innovation Awards, Platinum Club provides a platform to showcase the top performing partners and start-ups of the past 12 months, with more than ​​50 organisations in the spotlight.​​​

Reseller News Platinum Club celebrates leading partners in 2018
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP has honoured its leading partners in New Zealand during 2018, following 12 months of growth through the local channel. Unveiled during the fourth running of the ceremony in Auckland, the awards recognise and celebrate excellence, growth, consistency and engagement of standout Kiwi partners.

Meet the top performing HP partners in NZ
Show Comments