Saturday, July 09, 2016

Kelihos botnet delivering Dutch WildFire Ransomware

Guest Blogger Arsh Arora, a malware analyst and PhD candidate at UAB, has been keeping watch over the Kelihos spamming botnet. Yesterday he found some interesting things that I've asked his permission to share here.

Kelihos Delivering WildFire Locker Encryption Ransomware

So while doing the daily chores of Kelihos malware, we found an interesting behavior change that has never been seen before for Kelihos. The Kelihos botnet, which is famous for doing pharma spam predominantly for Canadian Health & Care Mall; pump & dump is delivering the WildFire Locker Encryption ransomware along with its regular pharma spam.
Kelihos spamming in Dutch

The messages observed during this analysis made use of a Dutch-language subject line and message body.

Subject: Mislukte afleverpoging BT-32084

Transportbedrijf Buitink B.V.
Westkanaaldijk 160
3542 DA Utrecht

Geachte heer / mevrouw, 

Op donderdag 7 juli heeft een van onze chauffeurs omstreeks 11.30 geprobeert 
om een pakket af te leveren. Aangezien dit niet is gelukt willen wij u graag 
verzoeken om zo spoedig mogelijk een nieuwe afspraak te maken.  U kunt een 
nieuwe afpsraak maken door het volgende formulier te downloaden, in te vullen
en retour te mailen naar

When translated to English, the message states:

Subject: Unsuccessful delivery attempt BT-32084
Transport Buitink B.V.
Westkanaaldijk 160
3542 DA Utrecht
Dear Sir / Madam,
On Thursday, July 7th at about 11:30 our drivers tried to deliver a package.
Since this was not successful, we would like to request to make a new appointment as soon as possible.
You can create a new appointment by downloading the following form to complete and return by email to
(This form also contains delivery HINTS)
Anna Dorst
The information contained in this email message is automatically generated and intended solely for the addressee. Use of this information by anyone other than the addressee is prohibited.

The message informs recipients of an undelivered package and entices the user to click on the embedded link.
Once the victim clicks the embedded link and downloads the file, a Microsoft Word document is downloaded which contains malicious code to place a file representing the WildFire Locker Encryption Ransomware on the victim’s computer.
This hostile document performs the following two steps:
First, it asks the user, in both English and Dutch, to "Enable Editing":

And then it asks the user, to "Enable Content" or "Inhoud inschakelen":

When viewing the Visual Basic macro code within Microsoft Word, we found the following source code:

Some very interesting choices of variable names!  TonyMontanaZRanaJakmietana, Nazgul, MinasTirit, Gondor, KerryMcNot, LouiseBackdone, and VERYKINDVAR and seem rather unique.  If you've seen them before, please leave a comment!

Once the macro is enabled, WildFire takes control of your machine and encrypts all the files with AES-256 CBC encryption.

The ransom note is displayed ot the victim and he or she is instructed to visit one of the TOR-hosted payment locations in order to purchase a decryption password.  This password would be used to retrieve the files encrypted from the ransomware.

Some interesting observations from this data include several locations:

1. The Onion domain name, gsxrmcgsygcxfkbb[.]onion
2. A geoplugin URL, http://  www . geoplugin . net /
3. exithub1[.]su
4. exithub2[.]su
5. exithub-xuq[.]su
6. exithub-pql[.]su

We hope you will agree that this change in behavior of the payload of the Kelihos botnet was worth noting.

Thanks for the Guest Blog, Arsh!
For more details on this observation: Arsh Arora, MSCFSM, PhD student, ararora at
(Arsh also runs the Facebook Group "Security Tips for Parents & Kids"

For more information about the Masters in Computer Forensics and Security Management at UAB, Gary Warner - gar at


  1. This comment has been removed by a blog administrator.

  2. This comment has been removed by a blog administrator.


Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.