Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Hackers Target Russians With Kelihos Malware Using Anti-Western Anger as a Lure

Attackers are targeting Russian victims with a ruse designed to get them to install the Kelihos malware, according to security firm BitDefender. 

Attackers are targeting Russian victims with a ruse designed to get them to install the Kelihos malware, according to security firm BitDefender. 

The lure plays to anti-Western and U.S. sentiments. In spam emails, the attackers promise software designed to attack those governments in retaliation for sanctions tied the crisis in the Ukraine. What the users actually get however is a serving of the notorious Kelihos malware.

Users who click the malicious links in the spam email download the Trojan, which drops three clean files used for traffic monitoring (npf_sys, packet_dll, wpcap_dll) and is capable of mining sensitive browser data, Internet traffic and other personal information.

Also known as Hlux, the Kelihos botnet was first discovered roughly four years ago. During its history, it has mainly been linked to spamming and Bitcoin theft.

“With the Ukrainian conflict in mind, hackers have crafted ingenious spam messages that help them deliver the Trojan to those who support the Russian “cause” and dislike measures taken against the country,” according to BitDefender. “Users who click the malicious links are unwillingly joining the botnet and spreading the malware further.”

The spam contains a message claiming to come from hackers or programmers from the Russian Federation who are upset about “unreasonable sanctions” that Western states imposed against their country. The attackers tell the user that if they run the application on their computer, it will begin to secretly attack government agencies of the countries that imposed those sanctions.

To help promot the application, the attackers also added that their program works silently and uses only limited amount of computing power. The messages also state that after rebooting the user’s computer, the program will terminate its activities. 

Some of the text of the messages varies, and in some cases includes the suggestion recipients turn off their antivirus software while running the program, security researchers at Websense noted, adding they believe the attack campaign began August 20. 

Advertisement. Scroll to continue reading.

“The variants we have analyzed so far in this campaign seem to have the spambot and sniffing functionality; no DDoS behavior has been observed during preliminary analysis,” according to Websense Senior Security Researcher Ran Mosessco. “Even so, the damage for a business allowing their infrastructure to run such malware could be significant (blacklisting for example).”

Once on the computer, the Kelihos Trojan communicates with the command and control center by exchanging encrypted messages through HTTP to retrieve further instructions. Depending on the payload, Kelihos can do any of the following: communicate with other infected computers; steal Bitcoin wallets; send spam; steal FTP and email credentials; download and execute other malicious files on the affected system; and monitor traffic for FTP, POP3 and SMTP protocols.

The Bitdefender Labs analyzed one of the recent malicious spam waves and noticed that all the .eml files lead to setup.exe links, with five unique IPs. Three belonged to Ukraine, while the other two were retrieved in Poland and the Republic of Moldavia.

“Some might be servers specialized in malware distribution or other infected computers that became part of the Kelihos botnet,” Bitdefender Virus Analyst Doina Cosovan said in a statement. “It is somehow ironic that most of the infected IPs are from Ukraine. This either means that computers in the country were also infected, or that Ukraine itself is where the distribution servers are located in.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.