Dridex Botnet Resumes Spam Operations After the Holidays

FireEye Labs observed that Dridex operators were active during the holiday season. However, during the post-Christmas and New Year weeks, we observed a slowdown in their spam campaigns.

Interestingly, their breaks were short. Over the past few weeks they have resumed operations and are building momentum. A small Dridex spike was seen in the first week of January 2016, followed by a few large waves of Dridex campaigns in the following weeks, as seen in Figure 1. FireEye Labs has studied this prolific spam botnet in the past, detailing some of its delivery mechanisms here and its takedown recovery here.

Figure 1. Malicious .doc and .xls attachment counts through January

These campaigns largely targeted the manufacturing, telecommunications, and financial services sectors, as seen in Figure 2.

Figure 2. Targeted industries

In addition, the campaigns mostly targeted the United States and United Kingdom, as seen in Figure 3.

Figure 3: Targeted countries

Here are quick summaries and indicators for some of the prominent campaigns.

British Gas account spam, week of January 11

Sample email:

Figure 4. British Gas themed spam message

Sending addresses:

·      khouse2@kochind.onmicrosoft.com
·      trinity<xxxx>@topsource.co.uk

Subject lines:

British Gas - A/c No. 602131633 - New Account

Attachment names:

British Gas.doc

Callback patterns:

GET /l9k7hg4/b4387kfd.exe HTTP/1.1

Callback IPs/domains:

·      amyzingbooks.com
·      powerstarthosting.com
·      webdesignoshawa.ca

 

Telephone bill themed spam, week of January 18

Sample email:

Figure 5. Telephone bill themed spam message


Sending addresses:

The Billing Team <noreply@callbilling.co.uk>

Subject lines:

Your Telephone Bill Invoices & Reports

Attachment names:

Invoice_316103_Jul_2013.doc

Callback patterns:

GET /8h75f56f/34qwj9kk.exe HTTP/1.1

Callback IPs/domains:

·      bolmgren.com
·      phaleshop.com
·      return-gaming.de

 

New Order spam, week of January 25

Sample email:

Figure 6. New Order-themed spam message

Sending addresses:

Michelle.Ludlow@dssmith.com

Subject lines:

New Order

Attachment names:

doc4502094035.doc

Callback patterns:

·      GET /4f4f/7u65j5hg.exe HTTP/1.1
·      GET /54t4f4f/7u65j5hg.exe HTTP/1.1

Callback IPs/domains:

·      elta-th.com
·      grudeal.com
·      trendcheckers.com
·      vinagps.net
·      www.cityofdavidchurch.org
·      www.hartrijders.com

Conclusion

The Dridex operators may have taken a break after Christmas, but soon after the New Year they ramped up their activities and resumed their operations as usual. It is important for organizations to remain vigilant with user education, proactive detection technologies and security policies that help prevent cybersecurity threats.

Acknowledgements

Thanks to Joonho Sa for contributing to this research.