Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Trojan delivery exploits Ukrainian political situation

BitDefender UK : 27 August, 2014  (Technical Article)
Hackers are using spam exploiting anti-western feelings in Russia to deliver malicious code for further spreading malware
Trojan delivery exploits Ukrainian political situation

A self-proclaimed hacker community from Russia has installed data-stealing malware on users’ machines by pretending the software was designed to attack Western governments and the US, according to antivirus software company Bitdefender.

With the Ukrainian conflict in mind, hackers have crafted ingenious spam messages that help them deliver the Trojan to those who support the Russian cause and dislike measures taken against the country. Users who click the malicious links are unwillingly joining the botnet and spreading the malware further.

The Trojan drops three clean files used for traffic monitoring (npf_sys, packet_dll, wpcap_dll) and is capable of mining sensitive browser data, internet traffic and other personal information.

According to Bitdefender’s Russian-speaking antispam researchers, the malicious messages state, “We, a group of hackers from the Russian Federation, are worried about the unreasonable sanctions that Western states imposed against our country. We have coded our answer and below you will find the link to our program. Run the application on your computer, and it will secretly begin to attack government agencies of the states that have adopted those sanctions.”

After clicking the links, victims download an executable file known as Kelihos. The Trojan communicates with the command and control centre by exchanging encrypted messages via HTTP to retrieve further instructions.

Depending on the type of payload, Kelihos can communicate with other infected computers; steal Bitcoin wallets; send spam emails; steal FTP and email credentials; download and execute other malicious files on the affected system; and monitor traffic for FTP, POP3 and SMTP protocols.

The Bitdefender Labs analysed one of the recent malicious spam waves and noticed that all the .eml files lead to setup.exe links, with five unique IPs. Three belonged to Ukraine, while the other two were retrieved in Poland and the Republic of Moldavia.

“Some might be servers specialised in malware distribution or other infected computers that became part of the Kelihos botnet,” states Doina Cosovan, Virus Analyst at Bitdefender. “It is somehow ironic that most of the infected IPs are from Ukraine. This either means that computers in the country were also infected, or that Ukraine itself is where the distribution servers are located.”

Bitdefender blocks both the malicious spam wave and the Kelihos Trojan, protecting its users’ computers from infection.

To convince many users of their authenticity, the Russian hackers claim their program works silently, using no more than 10 to 50 megabytes of traffic per day, and takes almost no CPU time. The spam e-mails advise that after the computer is rebooted, the program will terminate its activities and that users can turn off antivirus if necessary.

Doina Cosovan adds, “Turning off your security solution is not advisable. Instead, keep it installed and updated, just like your other software and operating system because malicious programs usually take advantage of vulnerabilities found in non-updated software.”

Also known as Hlux, the Kelihos botnet was discovered four years ago. It is mainly involved in the theft of Bitcoins and spamming. The botnet has a peer-to-peer structure, where individual nodes can act as command-and-control servers for the entire botnet, increasing its longevity.

Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo