A Kelihos campaign promises victims software to help the Russian cause in Ukraine but delivers malware instead.
A Kelihos campaign promises victims software to help the Russian cause in Ukraine but delivers malware instead.

Playing off of the conflict in Ukraine, Russian hackers are installing malware on victims' machines via links found in spam messages purporting to support the Russian cause, researchers at Bitdefender Labs reported in a Tuesday blog post.

Believing that they are taking a stand against the U.S. and Western governments by downloading software, users who click on the malicious links instead receive a trojan and unwittingly join the Kelihos botnet — discovered four years ago and also known as Hlux — that further spreads malware that can steal their data.

According to Bitdefender, the trojan drops three clean files — npf_sys, packet_dll and wpcap_dll — that are used to monitor traffic.

Once it has infected a user's computer, Kelihos demonstrates a versatile array of capabilities, including communicating with infected computers, stealing bitcoin wallets and sending spam emails. 

It can also steal FTP and email credentials as well as login data that browsers have saved; download and execute other malicious files; and monitor traffic for FTP, POP3 and SMTP protocols. 

While analyzing one of the recent spam waves, Bitdefender researchers observed that the .eml files all lead to setup.exe links with five unique IP addresses — three in Ukraine and one each in Poland and the Republic of Moldavia.

“Surprisingly enough, we discovered that over 40 percent of the analysed infected IPs who are part of the botnet belong to Ukraine,” Bianca Stanescu, a security analyst at Bitdefender, told SCMagazine.com in an email correspondence. “This can either be an anti-Russian diversion crafted by Ukrainian cyberwar 'soldiers' or, more likely, a sign that many of the infected machines belong to Ukraine and now unwillingly distribute the malware.”

Noting that while “this particular campaign poses a great level of threat to Russian-speaking countries,”  Stanescu said “Kelihos itself is a global botnet that affects users through different spam campaigns.”

Indeed, Bitdefender “spotted over 500 infected IPs in the U.S. alone, which have now become part of the botnet, helping to spread the malware further.” For example, the botnet was recently discovered to be associated with malware that plagued Community Health Systems.