Kelihos Botnet Spreading Troldesh Ransomware

The Kelihos botnet has switched to dropping ransomware onto targeted computers, and is currently spreading the Troldesh malware family, security researchers warn.

Kelihos has been around for approximately eight years and managed to survive several takedown attempts, two of which took place in September 2011 and March 2012, respectively. Over time, the botnet has been used for various nefarious purposes, including pump and dump stock spam campaigns and the distribution of MarsJoke and Wildfire ransomware.

In August this year, as its operators started lining it up with other botnets for the spreading of popular current threats such as ransomware and banking Trojans, Kelihos tripled its size overnight. The next month, it was seen spreading Panda Zeus, Nymain and Kronos, but has recently reverted to ransomware.

Kelihos was seen spreading the Troldesh encryption ransomware via spam emails containing URLs that link to a JavaScript file and a Microsoft Word document. According to Arsh Arora, malware analyst and Ph.D. researcher at The University of Alabama at Birmingham, this is the first time the botnet is using JavaScript files to infect users.

The malware encrypts users’ files and adds the .no_more_ransom extension to them, which appears meant to add an ironic twist to the infection by pointing at the NoMoreRansom initiative, created to fight ransomware and help victims all around the world.

The Troldesh distribution campaign was targeting email addresses ending with “.au” specifically, meaning that only Australian users might have received the ransomware. Simultaneously, the botnet was delivering dating spam to “.pl” email addresses, was spamming “.us” users to recruit them as money mules, and was pushing pharmaceutical spam to all other geographies.

The spam messages linking to the Troldesh ransomware featured a credit debt theme and were impersonating Bank of America. Intended victims were informed of an outstanding debt and were encouraged to open an attachment supposedly meant to offer exact details on their situation. Instead, the Troldesh malware was downloaded onto the compromised machine.

After encrypting users’ files, the ransomware would drop a ransom note (in both in Russian and English) on the desktop. Users were instructed to contact the ransomware authors via a Gmail address to receive the necessary instructions to decrypt their files. It also instructed them to download Tor and access .onion addresses via their browsers.

On top of that, Troldesh was seen downloading additional malware onto the infected systems, as well as contacting its command and control center at a specific address. The ransomware was downloading the Pony info-stealer onto the victims’ computers, to gather and exfiltrate sensitive information from the machine.

“To conclude, Kelihos has been surprising the researchers quite often and it has become necessary to keep track of different activities of the botnet. The ransomware inclusion brings interesting twists from the research as well as law enforcement,” the security researcher noted.