Russian Hackers Promise Anti-Government Software, Deliver Kelihos Trojan Instead

With the Ukrainian conflict in mind, an alleged hacker community from Russia installs data-stealing malware on users’ machines by pretending the software was designed to attack Western governments. Oddly enough, over 40 per cent of the infected servers are in Ukraine, according to the Bitdefender Labs.

The self-proclaimed hackers have crafted ingenious spam messages that help them deliver the Trojan to those who dislike the economic and political measures taken against Russia.

“We, a group of hackers from the Russian Federation, are worried about the unreasonable sanctions that Western states imposed against our country,” the malicious spam messages read.

“We have coded our answer and bellow you will find the link to our program. Run the application on your computer, and it will secretly begin to attack government agencies of the states that have adopted those sanctions.”

After clicking the links, victims download an executable file known as Kelihos. Capable of mining sensitive browser data, internet traffic and other personal information, Kelihos first drops three clean files used to monitor traffic (WinPcap files npf.sys, packet.dll, and wpcap.dll).

The Trojan then communicates with the command and control center by exchanging encrypted messages via HTTP to retrieve further instructions.

Depending on the type of payload, Kelihos can do any of the following:

Communicate with other infected computers
Steal bitcoin wallets
Send spam emails
Steal FTP and email credentials as well as login details saved by the browsers
Download and execute other malicious files on the affected system
Monitor traffic for FTP, POP3 and SMTP protocols

“We analyzed one of the recent malicious spam waves and noticed that all the .eml files lead to setup.exe URLs, with 49 unique IPs,” Bitdefender Virus Analyst Doina Cosovan explained.

“To find out the size and distribution of the computers infected during this campaign, we relied on the fact that Kelihos uses P2P. Starting from the 49 distinct IPs, we obtained the list of domains associated to each IP address. For each resulting domain, we obtained the list of corresponding IPs. In the end, we obtained 25.680.758 IP addresses, of which only 55.981 were unique.”

The analysis suggests how interconnected and huge the botnet infrastructure is, considering that the 49 infected IP addresses are just a slice of the malicious “pie.”

Here’s the country distribution obtained by the analysis (top 20):

“Some of the IPs might indicate the origin of servers specialized in malware distribution or other infected computers that became part of the Kelihos botnet,” Bitdefender Virus Analyst Doina Cosovan said. “As most of the infected IPs are from Ukraine, this either means that computers in the country were also infected, or that Ukraine itself is home to the main distribution servers.”

Also known as Hlux, the Kelihos botnet was discovered four years ago. It is mainly involved in bitcoin theft and spamming. The botnet has a peer-to-peer structure, where individual nodes can act as command-and-control servers for the entire botnet, allowing it to stay undetected for a longer period.

Like most botnets, Kelihos itself can be rented by other malware creators for distribution. It’s unclear whether it rents other services as well. So far, we have only seen Kelihos running on the Windows platform.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.

This article is based on spam samples provided courtesy of Bitdefender Spam Researcher Adrian MIRON and the technical information provided by Bitdefender Virus Analysts Doina COSOVAN and Alexandru MAXIMCIUC.