FireEye Labs observed that Dridex operators were active during the holiday season. However, during the post-Christmas and New Year weeks, we observed a slowdown in their spam campaigns.
Interestingly, their breaks were short. Over the past few weeks they have resumed operations and are building momentum. A small Dridex spike was seen in the first week of January 2016, followed by a few large waves of Dridex campaigns in the following weeks, as seen in Figure 1. FireEye Labs has studied this prolific spam botnet in the past, detailing some of its delivery mechanisms here and its takedown recovery here.
Figure 1. Malicious .doc and .xls attachment
counts through January
These campaigns largely targeted the manufacturing, telecommunications, and financial services sectors, as seen in Figure 2.
Figure 2. Targeted industries
In addition, the campaigns mostly targeted the United States and United Kingdom, as seen in Figure 3.
Figure 3: Targeted countries
Here are quick summaries and indicators for some of the prominent campaigns.
British Gas account spam, week of January 11
Sample email:
Figure 4. British Gas themed spam message
Sending addresses:
· khouse2@kochind.onmicrosoft.com
· trinity<xxxx>@topsource.co.uk
Subject lines:
British Gas - A/c No. 602131633 - New Account
Attachment names:
British Gas.doc
Callback patterns:
GET /l9k7hg4/b4387kfd.exe HTTP/1.1
Callback IPs/domains:
· amyzingbooks.com
· powerstarthosting.com
· webdesignoshawa.ca
Telephone bill themed spam, week of January 18
Sample email:
Figure 5. Telephone bill themed spam message
Sending addresses:
The Billing Team <noreply@callbilling.co.uk>
Subject lines:
Your Telephone Bill Invoices & Reports
Attachment names:
Invoice_316103_Jul_2013.doc
Callback patterns:
GET /8h75f56f/34qwj9kk.exe HTTP/1.1
Callback IPs/domains:
· bolmgren.com
· phaleshop.com
· return-gaming.de
New Order spam, week of January 25
Sample email:
Figure 6. New Order-themed spam message
Sending addresses:
Michelle.Ludlow@dssmith.com
Subject lines:
New Order
Attachment names:
doc4502094035.doc
Callback patterns:
· GET /4f4f/7u65j5hg.exe HTTP/1.1
· GET
/54t4f4f/7u65j5hg.exe HTTP/1.1
Callback IPs/domains:
· elta-th.com
· grudeal.com
·
trendcheckers.com
· vinagps.net
·
www.cityofdavidchurch.org
· www.hartrijders.com
Conclusion
The Dridex operators may have taken a break after Christmas, but soon after the New Year they ramped up their activities and resumed their operations as usual. It is important for organizations to remain vigilant with user education, proactive detection technologies and security policies that help prevent cybersecurity threats.
Acknowledgements
Thanks to Joonho Sa for contributing to this research.