Kelihos Trojan has been spreading by hackers, attacking Russian nationals, leading them into the belief that this is software designed to attack online resources belonging to US and Western governments. The new malicious campaign by the cyber criminals appeals to the patriotism of the victims to install the malware, deceiving them to think that the aim is to retaliate against US-imposed sanctions to Russia. In fact, the URL used in the malicious message leads to the Kelihos Trojan.
The Nature of Kelihos Trojan
The Kelihos botnet, also known as Hlux, first appeared in 2010 and was originally used for phishing, spam and distributed denial-of-service attacks. It has been the object of different take-down operations by private security companies and law enforcement; however, it has re-spawned and is now creating new botnets. The last version of the Kelihos Trojan, however, has several new capabilities, including sending spam emails, data stealing (FTP and email credentials), communicating with other infected computers, Bitcoin mining and stealing Bitcoin accounts.
The Kelihos Trojan further creates a back entrance to the compromised system and can be used to download more malicious files on the affected system of the attacked PC. The Kelihos bots guarantee to the attackers full control of victims, as the malicious code could download and execute additional payloads and can monitor traffic and steal passwords for FTP, POP3 and SMTP protocols.
Kelihos Trojan – What is Different
The difference with the Kelihos Trojan is that it appeals to the sense of curiosity and the patriotic sentiments of the victims. The cyber criminals here inform the victims that they will run malware on the targeted computers, but without revealing the true nature of that malware.
The malicious emails sent by the cyber criminals come with different subject lines which appeal to the patriotic spirit of the victims and do not even try to disguise the link to the malicious file. All recipients that were attacked had email addresses with the .ru domain.
Kelihos Trojan – What the Security Experts Think
The security experts confirm that when the Kelihos Trojan is run on the victims’ computers, as the bot contacts the Command & Control infrastructure over TCP and sends an encrypted GET request to the C2 URLs. On some of the malicious emails, the cyber criminals provide tips on how to disable the antivirus program on the PC, to allow installation of the malware.
Experts see this as a peculiar but efficient method to deliver malware, based on the people’s willingness to take part in a retribution campaign against those who took political or financial measures against their country.