The Kelihos Botnet Shifts to Banking Trojans and Ransomware Distribution

The MalwareTech security expert discovered that the Kelihos botnet, also known as Waledac, has started dropping banking Trojans and ransomware instead of its standard “pump-and-dump” spams while adding more and more new bots during the summer.

Kelihos is one of the oldest botnets, first spotted way back in 2008, but it has managed to survive a couple of sinkhole attempts and it is still active.

From when it first appeared and even until now, Kelihos has been the main distributor of “pump-and-dump” and pharma spamming campaigns. However, since these kind of threats are now quite easily detected, this business is not as lucrative as it used to be hence it started to sink.

This change didn’t go unnoticed by the long-serving crooks behind the botnet, who are clearly professionals. MalwareTech, both owner and operator of the Botnet Tracker project, says that Kelihos devs saw this change as an opportunity and they are currently oriented in the most profitable cybercrime operations: the distribution of banking Trojans and ransomware.

According to data received from this botnet tracker, Kelihos started delivering the WildFire ransomware at the end of July. The botnet`s size was steady for weeks at a lowly 8,000 infected machines until its size almost doubled to 13,000, between July 9th and 11th. At the same time Kelihos was delivering the WildFire ransomware, it was dropping other malware families as well, including the Zeus-based banking Trojan.

Exactly a week ago, on August 22nd, the Kelihos`s size almost tripled in a matter of hours, jumping from 12,500-13,000 machines to the 36,000 bots.

Unfortunately, the course on the new bots is unknown for the moment and researchers say it can be anything, from regular desktops to infected servers. What MalwareTech was able to discover was that this was not a targeted campaign.

The Kelihos bots are randomly delivered worldwide but most of them are dropped in densely populated countries like Mexico, India, Turkey, Peru, Brazil and Iran.

It’s likely that spamming the Wildfire ransomware was the Kelihos operator testing the water and now will likely joined [sic] the rest of the major spam botnets in the continued spamming of ransomware and banking trojans laced emails.“- MalwareTech said – “I’d not be surprised if we continue to see further increases in infections as the operator expands the botnet to accommodate higher volumes of spam.”

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.