Since the Kelihos takedown in front of a live audience at RSA Conference in 2013, the operator had opted to maintain a low profile by keeping the total number of infections at only a fraction of the previous size. In the past Kelihos’ MO was spamming stock pump and dump schemes or pharmaceutical scams then laying dormant for weeks or even months, but since mid June the botnet has started spamming other malware. The first malware seen being spammed was the Wildfire ransomware which I found very unusual: the ransomware itself appears to be the work of scriptkiddies (the code is very amateur, it utilizes the .net framework, and the C&C servers are hosted using a shared hosting sold on an English language scriptkiddie forum); these are not the sort of people you’d expect to be involved with a Russia spam veteran. Once the wildfire had died down, Kelihos went on to spread ransomware from another author as well as banking trojan based on the Zeus source code. It’s quite possible the Kelihos operator has come to the realization that spamming ransomware and banking trojans is a far more profitable than the dying art of pump and dump spam.

Activity Spikes

Around the same time Kelihos was still spreading the Wildfire ransomware I saw a series of small increases in new Kelihos infections (up to 2,000 in a 24h period) between June 27th and July 5th, followed by a week long campaign of aggressive spreading starting on July 11th, which saw the botnet size grow from ~8,000 infections to ~13,000.

The botnet size remained steady at 13,000 while the botnet continued spamming various different malware families, until two days ago (22 August) when my graphs went parabolic. In the 3 hour period between 17:00 and 20:00 UTC my Kelihos tracker saw 16,000 new infections with nearly 9000 of those occurring in the first 10 minutes.

At 17:00 we can also see the same spike in queries to the fallback DNS which the bot will connect to if it fails to contact any nodes for an extended period of time.

In the 24 hours after the initial spike the botnet continued to grow at a slow but steady pace taking it all the way up to a grand total of 34,533 infections

If we break down the new infections an categorize by country, we can see from the geographical distribution that the campaign was most likely not targeted; looking at the top 10 most infected countries we’re presented with the usual suspects of low income high population nations.

When mapped out the data reads like any other indiscriminate malware campaign with infections tied mainly to global population centers and the majority in developing countries.

Conclusion

It’s likely that spamming the Wildfire ransomware was the Kelihos operator testing the water and now will likely joined the rest of the major spam botnets in the continued spamming of ransomware and banking trojans laced emails. I’d not be surprised if we continue to see further increases in infections as the operator expands the botnet to accommodate higher volumes of spam.