Websense® Security Labs™ has come across an interesting campaign, targeting Russian nationals, trying to lure them to download and run executables on their computers, under the guise of attacking Western government websites. This is presented as a crowd-sourcing effort to retaliate against the governments that imposed sanctions on Russia (following the conflict in Ukraine). In fact, the unfortunate victims' machines fall prey to the Kelihos spam botnet.
Kelihos (a.k.a Hlux) is a long running trojan/bot/backdoor family, with different variants having capabilities, such as:
- Sending out spam email
- Sniffing sensitive information such as passwords for different protocols
- Stealing Bitcoin wallet contents
- Bitcoin mining
- Backdoor access to victims' computers
- Participating in DDoS (distributed denial of service) attacks
- Downloading additional malware
Over the years, there have been several efforts to take down the botnet, but it seems the cyber criminals behind Kelihos are trying to revive and expand the botnet.
Following topical events as a lure is a technique we have seen in the past to distribute Kelihos, such examples were two large campaigns in 2013, that leveraged the RedKit Exploit kit to drop Kelihos on victims' computers. That in turn, led to a series of stock "pump & dump" campaigns, for financial gains.
Looking at Websense® ThreatSeeker® Intelligence Cloud telemetry of total hits to a specific type of webpages associated with Kelihos, we can see why the cyber criminals might be trying to expand:
We saw that after a big spike around April 2014, there seems to be a decrease in recent months, with a gradual uptick in August 2014. It's possible this is the beginning of the expansion efforts.
What's different about this case is that instead of appealing to the victims' sense of curiosity, the cyber criminals appeal to patriotic sentiments (see details in analysis below), blatantly saying that they will run malware on the intended targets' computers, but without disclosing the true nature of the malware.
The variants we have analyzed so far in this campaign seem to have the spambot and sniffing functionality; no DDoS behavior has been observed during preliminary analysis. Even so, the damage for a business allowing their infrastructure to run such malware could be significant (blacklisting for example).
- Stage 2 (Lure) - ACE has detection for the URLs in the email lures, and Websense email security products block the email lures.
- Stage 5 (Dropper Files) - ACE has detection for the binary files associated with this attack.
- Stage 6 (Call Home) - Communication to the associated Command & Control (C2) servers is prevented.
* Note that this campaign does not use stages 3 & 4, details below.
The campaign started on August 20, 2014, and included email, such as this example:
The subject and body vary, but they are all similarly themed. Here is a translation (by Google) of the above text:
Subject: Help their homeland
We, the community of programmers from Russia, thrilled unreasonable sanctions that the United States imposed against Russia. We have created your answer, then you will find a link to a program written by us. Open it on your computer, and it will begin secretly to attack government websites of the countries that imposed these sanctions. The program operates silently, consumes no more than 5% of your online channel, no more than 20MB of traffic per day, and takes almost no processing power. After reboot the computer program completes its work, and if you want to - you can run it again manually.
Together, we - the power!
Link to file: hxxp://22.214.171.124/setup.exe Spare link: hxxp://126.96.36.199/setup.exe
As we mentioned, the text varies, and some of the messages carry a "helpful tip" to disable AV while running the executable.
Between August 20 and August 21, 2014, Websense Cloud Email Security has proactively blocked over 100,000 malicious messages from this campaign, all were sent to recipient addresses with .ru TLD.
These are the subjects we observed:
Since the campaign tries to appeal to would-be cyber warriors, there is no need to disguise the fact that an executable will be run on the victims' computers; therefore, the messages contain URLs with direct download links, such as:
The files hosted on these locations change to try to avoid AV detection.
At the time of the attack, AV detection was low:
Here is a sample Websense Threatscope™ sandbox report for a file dropped in this attack
Kelihos uses the Winpcap driver to monitor connections and sniff passwords from different protocols, mainly targeting SMTP so that mail can potentially be sent from seemingly legitimate email addresses.
When run on the victims' computers, the bot contacts the Command & Control (C2) infrastructure over TCP, then sends an encrypted GET request to the C2 URLs (hosted in Russia and Ukraine), such as:
Where the configuration is downloaded:
Additionally, the bot gets a list of content/links to spam from URLs such as:
Shortly afterwards, the bot makes DNS queries for mail servers:
And starts to send out email, in this case, the same kind that were observed earlier (asking to download the executable):
In this blog, we have seen an attempt by cyber criminals behind a long running bot network to expand and revive their operation, after a period of relative stagnation. The tactic of playing on national pride to use the victims for another nefarious purpose is somewhat unique: the criminals behind the campaign did not hide the fact that they are pointing to malware, just "failed to mention" that the immediate result of running it would be to join a spam botnet. Since the dropper files change, it's not out of the question that a variant with DDoS capabilities would be used, but nonetheless, businesses should make sure they are protected against any such malware using comprehensive security solutions, both for inbound and outbound protection.
Contributors: Ran Mosessco, Nick Griffin, Brandon Laux