Attackers are targeting Russian victims with a ruse designed to get them to install the Kelihos malware, according to security firm BitDefender.
The lure plays to anti-Western and U.S. sentiments. In spam emails, the attackers promise software designed to attack those governments in retaliation for sanctions tied the crisis in the Ukraine. What the users actually get however is a serving of the notorious Kelihos malware.
Users who click the malicious links in the spam email download the Trojan, which drops three clean files used for traffic monitoring (npf_sys, packet_dll, wpcap_dll) and is capable of mining sensitive browser data, Internet traffic and other personal information.
Also known as Hlux, the Kelihos botnet was first discovered roughly four years ago. During its history, it has mainly been linked to spamming and Bitcoin theft.
“With the Ukrainian conflict in mind, hackers have crafted ingenious spam messages that help them deliver the Trojan to those who support the Russian “cause” and dislike measures taken against the country,” according to BitDefender. “Users who click the malicious links are unwillingly joining the botnet and spreading the malware further.”
The spam contains a message claiming to come from hackers or programmers from the Russian Federation who are upset about “unreasonable sanctions” that Western states imposed against their country. The attackers tell the user that if they run the application on their computer, it will begin to secretly attack government agencies of the countries that imposed those sanctions.
To help promot the application, the attackers also added that their program works silently and uses only limited amount of computing power. The messages also state that after rebooting the user’s computer, the program will terminate its activities.
Some of the text of the messages varies, and in some cases includes the suggestion recipients turn off their antivirus software while running the program, security researchers at Websense noted, adding they believe the attack campaign began August 20.
“The variants we have analyzed so far in this campaign seem to have the spambot and sniffing functionality; no DDoS behavior has been observed during preliminary analysis,” according to Websense Senior Security Researcher Ran Mosessco. “Even so, the damage for a business allowing their infrastructure to run such malware could be significant (blacklisting for example).”
Once on the computer, the Kelihos Trojan communicates with the command and control center by exchanging encrypted messages through HTTP to retrieve further instructions. Depending on the payload, Kelihos can do any of the following: communicate with other infected computers; steal Bitcoin wallets; send spam; steal FTP and email credentials; download and execute other malicious files on the affected system; and monitor traffic for FTP, POP3 and SMTP protocols.
The Bitdefender Labs analyzed one of the recent malicious spam waves and noticed that all the .eml files lead to setup.exe links, with five unique IPs. Three belonged to Ukraine, while the other two were retrieved in Poland and the Republic of Moldavia.
“Some might be servers specialized in malware distribution or other infected computers that became part of the Kelihos botnet,” Bitdefender Virus Analyst Doina Cosovan said in a statement. “It is somehow ironic that most of the infected IPs are from Ukraine. This either means that computers in the country were also infected, or that Ukraine itself is where the distribution servers are located in.”