Hackers prey on Russian patriotism to grow the Kelihos botnet

The cybercriminal gang behind the Kelihos botnet is tricking users into installing malware on their computers by appealing to pro-Russian sentiments stoked by recent international sanctions against the country.

Researchers from security firms Websense and Bitdefender have independently observed a new spam campaign that encourages Russian-speakers to volunteer their computers for use in distributed denial-of-service (DDoS) attacks against the websites of governments that imposed sanctions on Russia for its involvement in the conflict in eastern Ukraine.

"We, a group of hackers from the Russian Federation, are worried about the unreasonable sanctions that Western states imposed against our country," the spam emails read, according to a translation by Bitdefender researchers. "We have coded our answer and below you will find the link to our program. Run the application on your computer, and it will secretly begin to attack government agencies of the states that have adopted those sanctions."

The links in the email messages point to a version of the Trojan program used in the Kelihos, or Hlux, botnet, security researchers from Websense said Friday in a blog post. This four-year-old botnet has been associated over time with various malicious activities including sending spam; stealing passwords from browsers, FTP clients and other programs; stealing and mining Bitcoins; providing backdoor access to computers and launching DDoS attacks, they said.

Despite the DDoS functionality in some Kelihos malware variants, this new invitation to volunteer computers for attacks against Western government websites is just a ruse to get more systems infected, according to Bogdan Botezatu, a senior e-threat analyst at Bitdefender.

"By giving victims a purpose and allegedly empowering them to be part of the war from the safety of their home, attackers improve their chances to harvest computers that will eventually be used for other tasks," Botezatu said Tuesday via email. "The Kelihos botnet operators have just one end-goal: monetizing the infected machines."

This is also suggested by the presence of three files in the malware program distributed by the spam campaign that can be used to intercept and monitor local network traffic, which has nothing to do with DDoS attacks. Those files, called npf_sys, packet_dll and wpcap_dll, are actually part of a legitimate application called WinPcap and are digitally signed.

"Kelihos relies on these files to inherit network monitoring functionality, a feature that otherwise would have to be developed inhouse," Botezatu said. "Sometimes cybercriminals reuse publicly known and widespread libraries to achieve some of these functionalities because these libraries have been extensively tested (they are less likely to crash) and they also are known by the security industry, so they don't run the risk of getting deleted."

Botezatu believes that this latest trick by the Kelihos gang could have a high rate of success, especially since some DDoS attacks launched by hacktivist groups like Anonymous in the past did actually involve volunteers downloading and installing specialized programs on their computers. Such volunteer-based attacks were also organized in Russia in 2008 during the Russo-Georgian conflict, according to reports at the time.

"This approach not only maximizes the number of potential victims, but also allows hackers to geographically pick the targets among the countries that are more likely to respond to such a call: Russian and Ukrainian citizens that are somewhat affected by sanctions," Botezatu said.