Cybercriminals appear to be attempting to rebuild the infamous Kelihos spam botnet by using anti-foreign sentiment in Russia in a bid to persuade users to download the malware, according to Websense.
The security vendor claimed to have spotted a new campaign targeting Russian netizens with a patriotic message: download an unnamed computer program written by the sender which will secretly attack the government websites of countries that imposed sanctions on Russia.
A link is included in the email which claims to download the program; although in reality it will download the Kelihos spam botnet, according to senior security researcher, Ran Mosessco.
“What's different about this case is that instead of appealing to the victims' sense of curiosity, the cybercriminals appeal to patriotic sentiments, blatantly saying that they will run malware on the intended targets' computers, but without disclosing the true nature of the malware,” he explained in a blog post.
“The variants we have analyzed so far in this campaign seem to have the spambot and sniffing functionality; no DDoS behavior has been observed during preliminary analysis. Even so, the damage for a business allowing their infrastructure to run such malware could be significant (blacklisting for example).”
Once a user clicks on the download link Kelihos will use a Winpcap driver to monitor connections and sniff passwords from different protocols including SMTP, so that it can email the same message out to more victims from a legitimate address.
The bot also communicates with various C&C servers.
The malicious email has been blocked already 100,000 times by Websense since it was discovered on August 20.
“Since the dropper files change, it's not out of the question that a variant with DDoS capabilities would be used, but nonetheless, businesses should make sure they are protected against any such malware using comprehensive security solutions, both for inbound and outbound protection,” said Mosessco.