The group behind the Kelihos botnet has launched a new campaign in order to add compromised systems to their collective. However, unlike previous efforts that relied on social engineering and spam, this new initiative simply asks the victim to install the malware.
The emails, written in Russian, state simply:
"We, a group of hackers from the Russian Federation, are worried about the unreasonable sanctions that Western states imposed against our country. We have coded our answer and below you will find the link to our program. Run the application on your computer, and it will secretly begin to attack government agencies of the states that have adopted those sanctions."
Most malware campaigns play on the victim's sense of curiosity or emotional state so that they'll click on a link or open an attachment. Here, the Kelihos botmasters are focusing on patriotic sentiments.
The call to arms from Kelihos' controllers is reminiscent of Anonymous' efforts to get people to use compromised versions of LOIC in circa 2011 / 2012. In both cases, the person on the other end of the malware believes it will do one thing, while in reality they have no clue of its true nature.
In addition to the patriotic sentiment, the email messages also tell the victim that the program they download only runs once and disengages after the system is rebooted. If needed, the email tells the victim to disable their anti-Virus program in order to launch their tool if there are any issues.
Kelihos is a Trojan that can communicate with other bots, steal Bitcoin wallets, send spam, as well as capture FTP credentials and other stored credentials on the host system. If configured, variants can also monitor SMTP, POP3, and FTP traffic and report on it. The variant being delivered by this campaign, despite what the emails claim, does not contain DDoS functionality.
Websense says that in 24-hours, between August 20 and 21, they blocked 100,000 messages from this campaign. All of the recipients maintained email addresses with the .ru domain.
Some of the subject lines include:
And you a patriot?
For patriots of Russia
Defend your homeland
Defend Russia together
Answer the United States
Response to sanctions against Russia
Help their homeland
"Over the years, there have been several efforts to take down the botnet, but it seems the cyber criminals behind Kelihos are trying to revive and expand the botnet," researchers at Websense noted in their report on this recent campaign.
"We saw that after a big spike around April 2014, there seems to be a decrease in recent months, with a gradual uptick in August 2014. It's possible this is the beginning of the expansion efforts."
The emails are linked to five unique IP addresses, three of them are in the Ukraine and the other two are in Poland. Doina Cosovan, a virus analyst for BitDefender, noted that it was somewhat ironic that most of the infected IPs are from the Ukraine.
"This either means that computers in the country were also infected, or that Ukraine itself is where the distribution servers are located," Cosovan added.