As part of our botnet monitoring initiative, we recently stumbled across an interesting piece of news. The Win32/Kelihos botnet, a likely successor to Win32/Waledac and Win32/Nuwar (the infamous Storm worm), is now sending spam to recruit money mules. We captured two different spam templates used by the bot to generate spam messages. As shown in the images below, the recruitment advertisements are in two languages, German and Portuguese.
We often see mule recruitment spam but it is usually in English. This is a likely proof that standard recruitment schemes are getting less successful and malicious actors need to spend more energy on targeted audience in their native language. Another possibility would be that the malware operators are specifically looking for money mules in Portugal and Germany. In the last couple of weeks, the Win32/Kelihos botnet was used for pump and dump scams, it is likely the operators are now moving to the next step of their operation which is to transform their gain on the stock market into cash.
If you are interested in peer-to-peer botnets and the evolution of Win32/Kelihos, we will present on this topic at the upcoming Virus Bulletin conference in Barcelona.
Thanks to Sebastien Duquette and Alexis Dorais-Joncas for their help in this research.
Senior Malware Researcher
Author Pierre-Marc Bureau, ESET