Echoes of a Takedown: Arrests in Impact Kelihos Botnet Infrastructure . . . . . . Again
Thirty-six year old Russian, Peter Yuryevich Levashov, was arrested last week in Spain. His arrest is in relation to charges stemming from command of the Kelihos Botnet and related fraud charges. The Kelihos Botnet (and related infrastructure) has been in operation since 2010. Authorities allege that Levashov has been controlling the operation, or at least an accessory to such, since that time. The large scale operation was primarily used to distribute spam by relaying email off the infected hosts within the network. In addition, the hosts were used to distribute additional malware, including RATs and ransomware. The botnet, as is typical, was not necessarily under full control of the direct Kelihos operators. That is to say, the resources (infected hosts) were sold/rented to other ne'er-do-wells to use as they see fit. In conjunction with the arrest/investigation, U.S. authorities worked with additional security vendors to assist in interrupting the Kelihos infrastructure. On April 8, 2017, a successful effort to sinkhole 100% of the C2 traffic took place. As a result, the current operations of the network was fully seized. Shadowserver Foundation noted the following statistics during their involvement in the operation.