The Latest in IT Security

Win32/Kelihos, Recruiting in a Country Near You


As part of our botnet monitoring initiative, we recently stumbled across an interesting piece of news. The Win32/Kelihos botnet, a likely successor to Win32/Waledac and Win32/Nuwar (the infamous Storm worm), is now sending spam to recruit money mules. We captured two different spam templates used by the bot to generate spam messages. As shown in the images below, the recruitment advertisements are in two languages, German and Portuguese.

We often see mule recruitment spam but it is usually in English. This is a likely proof that standard recruitment schemes are getting less successful and malicious actors need to spend more energy on targeted audience in their native language. Another possibility would be that the malware operators are specifically looking for money mules in Portugal and Germany. In the last couple of weeks, the Win32/Kelihos botnet was used for pump and dump scams, it is likely the operators are now moving to the next step of their operation which is to transform their gain on the stock market into cash.

If you are interested in peer-to-peer botnets and the evolution of Win32/Kelihos, we will present on this topic at the upcoming Virus Bulletin conference in Barcelona.

Thanks to Sebastien Duquette and Alexis Dorais-Joncas for their help in this research.

Pierre-Marc Bureau
Senior Malware Researcher

Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments