Kelihos Botnet Trying to Expand by Harnessing Russian National Sentiments
Posted by Ran Mosessco on 22 August 2014 07:10 PM
Websense® Security Labs™ has come across an interesting campaign, targeting Russian nationals, trying to lure them to download and run executables on their computers, under the guise of attacking Western government websites. This is presented as a crowd-sourcing effort to retaliate against the governments that imposed sanctions on Russia (following the conflict in Ukraine). In fact, the unfortunate victims' machines fall prey to the Kelihos spam botnet.
Kelihos (a.k.a Hlux) is a long running trojan/bot/backdoor family, with different variants having capabilities, such as:
Over the years, there have been several efforts to take down the botnet, but it seems the cyber criminals behind Kelihos are trying to revive and expand the botnet.
Following topical events as a lure is a technique we have seen in the past to distribute Kelihos, such examples were two large campaigns in 2013, that leveraged the RedKit Exploit kit to drop Kelihos on victims' computers. That in turn, led to a series of stock "pump & dump" campaigns, for financial gains.
Looking at Websense® ThreatSeeker® Intelligence Cloud telemetry of total hits to a specific type of webpages associated with Kelihos, we can see why the cyber criminals might be trying to expand:
We saw that after a big spike around April 2014, there seems to be a decrease in recent months, with a gradual uptick in August 2014. It's possible this is the beginning of the expansion efforts.
What's different about this case is that instead of appealing to the victims' sense of curiosity, the cyber criminals appeal to patriotic sentiments (see details in analysis below), blatantly saying that they will run malware on the intended targets' computers, but without disclosing the true nature of the malware.
The variants we have analyzed so far in this campaign seem to have the spambot and sniffing functionality; no DDoS behavior has been observed during preliminary analysis. Even so, the damage for a business allowing their infrastructure to run such malware could be significant (blacklisting for example).
* Note that this campaign does not use stages 3 & 4, details below.
The campaign started on August 20, 2014, and included email, such as this example:
The subject and body vary, but they are all similarly themed. Here is a translation (by Google) of the above text:
Subject: Help their homeland
We, the community of programmers from Russia, thrilled unreasonable sanctions that the United States imposed against Russia. We have created your answer, then you will find a link to a program written by us. Open it on your computer, and it will begin secretly to attack government websites of the countries that imposed these sanctions. The program operates silently, consumes no more than 5% of your online channel, no more than 20MB of traffic per day, and takes almost no processing power. After reboot the computer program completes its work, and if you want to - you can run it again manually.
Together, we - the power!
Link to file: hxxp://126.96.36.199/setup.exe Spare link: hxxp://188.8.131.52/setup.exe
As we mentioned, the text varies, and some of the messages carry a "helpful tip" to disable AV while running the executable.
Between August 20 and August 21, 2014, Websense Cloud Email Security has proactively blocked over 100,000 malicious messages from this campaign, all were sent to recipient addresses with .ru TLD.
These are the subjects we observed:
Since the campaign tries to appeal to would-be cyber warriors, there is no need to disguise the fact that an executable will be run on the victims' computers; therefore, the messages contain URLs with direct download links, such as:
The files hosted on these locations change to try to avoid AV detection.
At the time of the attack, AV detection was low:
Here is a sample Websense Threatscope™ sandbox report for a file dropped in this attack
Kelihos uses the Winpcap driver to monitor connections and sniff passwords from different protocols, mainly targeting SMTP so that mail can potentially be sent from seemingly legitimate email addresses.
When run on the victims' computers, the bot contacts the Command & Control (C2) infrastructure over TCP, then sends an encrypted GET request to the C2 URLs (hosted in Russia and Ukraine), such as:
Where the configuration is downloaded:
Additionally, the bot gets a list of content/links to spam from URLs such as:
Shortly afterwards, the bot makes DNS queries for mail servers:
And starts to send out email, in this case, the same kind that were observed earlier (asking to download the executable):
In this blog, we have seen an attempt by cyber criminals behind a long running bot network to expand and revive their operation, after a period of relative stagnation. The tactic of playing on national pride to use the victims for another nefarious purpose is somewhat unique: the criminals behind the campaign did not hide the fact that they are pointing to malware, just "failed to mention" that the immediate result of running it would be to join a spam botnet. Since the dropper files change, it's not out of the question that a variant with DDoS capabilities would be used, but nonetheless, businesses should make sure they are protected against any such malware using comprehensive security solutions, both for inbound and outbound protection.
Contributors: Ran Mosessco, Nick Griffin, Brandon Laux
Read more »
Long life to Kelihos!
Posted by Gianluca Giuliani on 17 February 2012 07:21 AM
During the past months, the spam engine Kelihos has attracted the attention of many people, including security company researchers and analysts. Very interesting also was the recent official Microsoft response where has been confirmed a new generation of Kelihos variants derived from the previous. The Websense® Security Labs™ Spam Trap system has detected a variant of Kelihos that is apparently still active.
We focused our research on trying to uncover the Kelihos command and control infrastructure and P2P network, along with some features of the botnet that we could recognize, including enhancements. The first interesting thing we noticed was in a sample of the network traffic generated by the bot before it starts its spam activity. As shown below, the bot generates a first request to an IP address that is listening on HTTP port 80:
We detected encrypted traffic between the "infected" host and the IP addresses shown above. The server contacted by the bot answers with another encrypted network stream. Before the bot starts to generate spam, it contacts another IP address, this time with an HTTP GET request, as shown in the following screen shot:
In this screen shot, we see that the "User-Agent" header string specifies a dodgy user agent, and that the traffic between the URL requested by the bot and the contacted server seems to be encrypted. Our investigation found that the last stream received by the bot is the configuration information that permits it to begin generating spam. This information includes the targeted countries, a list of recipients, a template for the email body, and a list of MX records needed to start the campaign.
From the statistic analysis of this binary (MD5 021EC96775A37AE92680C076295D5991), we can confirm that the new generation of Kelihos uses an encryption mechanism based on Blowfish. Using some of our tools of the trade, we reversed the binary and detected evidence of a statically linked instance of the cryptographic open source library called Crypto++. Further investigation using a tool called PEiD provided the needed confirmation of this:
This knowledge permitted us to start a more detailed investigation using a reverse engineering process. After we observed that the first IP address contacted by the bot was changed using a non-apparent criterion, we started to understand where that IP address was retrieved. We were unable to retrieve anything from a memory dump during the bot's runtime. However, a review of the memory contents revealed that some "hard coded" information in the bot was protected by a sort of in-memory mechanism based on encoding and encryption. In other words, the vital parameters that allow this bot to exist were not easily detectable because they were located in an area of the code where custom obfuscation was applied. When we looked for some IP addresses in memory, we detected the code routine used to decrypt the IP addresses (probably all compromised hosts). What follow is a dump snippet from the memory after the decryption routine:
The above screen shot shows the area of the bot's memory after the decryption routine extracts the first IP address to contact. The bot then starts the network conversation that we showed in the network traffic screen shot at the beginning of this blog. We found a total of 499 IP addresses in the bot's memory. Extracting this list from the bot, we can (thanks to Google Maps) represent graphically how widespread the Kelihos command and control and peers infrastructure is. The following illustration shows the geographical distribution of just 100 of those IP addresses chosen randomly from the list. Given the numerous locations shown, you can see how well this botnet is protected:
When we extracted the country code from the IP addresses, we generated the following graph, which shows the 20 countries that are home to most of the Kelihos command and control and peers systems:
More investigation of Kelihos spam activity revealed that this botnet is involved in several malicious campaigns, including the following phishing attempt:
Our Websense ThreatSeeker® network can detect this spam activity and block the communication between the Kelihos bot and its command and control and peers structure. The following screen shot shows how a Websense customer is protected against the phishing attempt shown in the mail above:
During our investigation, we also detected and trapped the following email messages generated by the Kelihos bot. We can see from this list that the campaign is targeted primarily for European and USA email addresses:
We could say much more about the Kelihos botnet. For example, the code seems to be derived and recycled from or other malicious code close to Waledac variants. We have detected some evidence of Infostealer activities targeting well-known FTP clients, the presence of a routine that acts like a Bitcoin wallet stealer, and a list of suspicious User Agents used by the bot to contact its command and control and other peers machines. Anyway, the most important thing derived from this analysis is that we have retrieved the entire list of the command and control systems.
Websense customers are protected from these threats by ACETM, our Advanced Classification Engine.
Read more »