Win32/Kelihos, Recruiting in a Country Near You

As part of our botnet monitoring initiative, we recently stumbled across an interesting piece of news. The Win32/Kelihos botnet, a likely successor to Win32/Waledac and Win32/Nuwar (the infamous Storm worm), is now sending spam to recruit money mules. We captured two different spam templates used by the bot to generate spam messages. As shown in the images below, the recruitment advertisements are in two languages, German and Portuguese.

We often see mule recruitment spam but it is usually in English. This is a likely proof that standard recruitment schemes are getting less successful and malicious actors need to spend more energy on targeted audience in their native language. Another possibility would be that the malware operators are specifically looking for money mules in Portugal and Germany. In the last couple of weeks, the Win32/Kelihos botnet was used for pump and dump scams, it is likely the operators are now moving to the next step of their operation which is to transform their gain on the stock market into cash.

If you are interested in peer-to-peer botnets and the evolution of Win32/Kelihos, we will present on this topic at the upcoming Virus Bulletin conference in Barcelona.

Thanks to Sebastien Duquette and Alexis Dorais-Joncas for their help in this research.

Pierre-Marc Bureau
Senior Malware Researcher

Author Pierre-Marc Bureau, ESET

  • Reggie Gates

    OK, I'll ask…what is a money mule and what does Win32/Kelihos botnet do?  For us less technically orientated folks, more explanation would be helpful.
    R Gates

    • David Harley

      This might answer your question about money mules: As Pierre-Marc indicates, Kelihos is, like most active botnets, used for a range of activities (whatever makes money…). Earlier in its career, it was particularly associated with the theft of FTP passwords. Recently, it’s been used for stockmarket scams (a pump and dump scheme persuades people to buy low-value stock at an inflated price so that the scammer can sell it off at a large profit before it returns to a more realistic level). Pierre-Marc is, I think, suggesting that recruiting people to do moneylaundering is the next step in its monetizationn process.

Follow us

Copyright © 2017 ESET, All Rights Reserved.