The cyber crooks behind the Kelihos botnet are, once again, trying to swell the number of computers included in it.
They are trying a novel approach: posing as a “community Russian programmers,” the botmasters are appealing to Russian users’ patriotic sense to make them download software that supposedly secretly attacks government websites of countries that have imposed sanctions on Russia.
“The program operates silently, consumes no more than 5% of your online channel, no more than 20MB of traffic per day, and takes almost no processing power,” the spam email claims, and provides a clear link to the software.
Unfortunately for those who install it, the offered executable is not an attack software, but a variant of the Kelihos malware, which allows the crooks to gain backdoor access to the target system, send out spam, sniff out passwords, download additional malware, and more.
“What’s different about this case is that instead of appealing to the victims’ sense of curiosity, the cyber criminals appeal to patriotic sentiments (see details in analysis below), blatantly saying that they will run malware on the intended targets’ computers, but without disclosing the true nature of the malware,” pointed out Websense researchers.
“The variants we have analyzed so far in this campaign seem to have the spambot and sniffing functionality; no DDoS behavior has been observed during preliminary analysis. Even so, the damage for a business allowing their infrastructure to run such malware could be significant (blacklisting for example).”
The malware variants had initially a very low AV detection rate. The spam campaign in question started on August 20, and in just one day the security company has blocked over 100,000 malicious messages from this campaign.