Zombie Spider
Description
(CrowdStrike) The primary threat actor, who was tracked by CrowdStrike as Zombie Spider, rose to prominence in the criminal underground under the moniker Peter Severa. The individual behind this handle is Peter Yuryevich LEVASHOV who was arrested in Spain when the final version of Kelihos was taken over in April 2017, and who recently pleaded guilty to operating the botnet for criminal purposes.
For several years, pump-and-dump stock scams, dating ruses, credential phishing, money mule recruitment and rogue online pharmacy advertisements were the most common spam themes. In 2017, however, Kelihos was frequently used to spread other malware such as LuminosityLink, Zyklon HTTP, Neutrino, Nymaim, Gozi/ISFB, Panda Zeus, Kronos, and TrickBot. It was also observed spreading ransomware families including Shade, Cerber, and FileCrypt2.
Kelihos has been observed to distribute TrickBot (Wizard Spider, Gold Blackburn) and Zeus Panda (Bamboo Spider, TA544).
Names
| Name | Name-Giver |
|---|---|
| Zombie Spider | CrowdStrike |
Country
Motivation
- Financial gain
First Seen
2010
Observed Countries
Tools
Operations
- 2017-02: Kelihos Spreads via USB Drives https://www.securityweek.com/kelihos-spreads-usb-drives
Counter Operations
- 2012-03: On Wednesday, March 21, 2012, security experts from Dell SecureWorks, CrowdStrike, Kaspersky, and the Honeynet Project initiated efforts to detect and disrupt the operations of a botnet known as Waledac/Kelihos (also known as Hlux). https://www.secureworks.com/research/waledac-kelihos-botnet-takeover
- 2017-04: Justice Department Announces Actions to Dismantle Kelihos Botnet https://www.justice.gov/opa/pr/justice-department-announces-actions-dismantle-kelihos-botnet-0
- 2021-06: Russian National Convicted of Charges Relating to Kelihos Botnet https://www.justice.gov/opa/pr/russian-national-convicted-charges-relating-kelihos-botnet https://therecord.media/kelihos-botnet-creator-sentenced-to-time-served/
Information
- https://www.crowdstrike.com/blog/inside-the-takedown-of-zombie-spider-and-the-kelihos-botnet/
- https://www.crowdstrike.com/blog/farewell-to-kelihos-and-zombie-spider/
- https://en.wikipedia.org/wiki/Kelihos_botnet
Other Information
Uuid
2c1d1677-f2d9-44e1-ac9a-4f7f4047e2d5
Last Card Change
2021-08-09