Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Kelihos Botnet Spreading Troldesh Ransomware

The Kelihos botnet has switched to dropping ransomware onto targeted computers, and is currently spreading the Troldesh malware family, security researchers warn.

The Kelihos botnet has switched to dropping ransomware onto targeted computers, and is currently spreading the Troldesh malware family, security researchers warn.

Kelihos has been around for approximately eight years and managed to survive several takedown attempts, two of which took place in September 2011 and March 2012, respectively. Over time, the botnet has been used for various nefarious purposes, including pump and dump stock spam campaigns and the distribution of MarsJoke and Wildfire ransomware.

In August this year, as its operators started lining it up with other botnets for the spreading of popular current threats such as ransomware and banking Trojans, Kelihos tripled its size overnight. The next month, it was seen spreading Panda Zeus, Nymain and Kronos, but has recently reverted to ransomware.

Kelihos was seen spreading the Troldesh encryption ransomware via spam emails containing URLs that link to a JavaScript file and a Microsoft Word document. According to Arsh Arora, malware analyst and Ph.D. researcher at The University of Alabama at Birmingham, this is the first time the botnet is using JavaScript files to infect users.

The malware encrypts users’ files and adds the .no_more_ransom extension to them, which appears meant to add an ironic twist to the infection by pointing at the NoMoreRansom initiative, created to fight ransomware and help victims all around the world.

The Troldesh distribution campaign was targeting email addresses ending with “.au” specifically, meaning that only Australian users might have received the ransomware. Simultaneously, the botnet was delivering dating spam to “.pl” email addresses, was spamming “.us” users to recruit them as money mules, and was pushing pharmaceutical spam to all other geographies.

The spam messages linking to the Troldesh ransomware featured a credit debt theme and were impersonating Bank of America. Intended victims were informed of an outstanding debt and were encouraged to open an attachment supposedly meant to offer exact details on their situation. Instead, the Troldesh malware was downloaded onto the compromised machine.

After encrypting users’ files, the ransomware would drop a ransom note (in both in Russian and English) on the desktop. Users were instructed to contact the ransomware authors via a Gmail address to receive the necessary instructions to decrypt their files. It also instructed them to download Tor and access .onion addresses via their browsers.

Advertisement. Scroll to continue reading.

On top of that, Troldesh was seen downloading additional malware onto the infected systems, as well as contacting its command and control center at a specific address. The ransomware was downloading the Pony info-stealer onto the victims’ computers, to gather and exfiltrate sensitive information from the machine.

“To conclude, Kelihos has been surprising the researchers quite often and it has become necessary to keep track of different activities of the botnet. The ransomware inclusion brings interesting twists from the research as well as law enforcement,” the security researcher noted.

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.