FireEye Labs observed that Dridex operators were active during the holiday season. However, during the post-Christmas and New Year weeks, we observed a slowdown in their spam campaigns.
Interestingly, their breaks were short. Over the past few weeks they have resumed operations and are building momentum. A small Dridex spike was seen in the first week of January 2016, followed by a few large waves of Dridex campaigns in the following weeks, as seen in Figure 1. FireEye Labs has studied this prolific spam botnet in the past, detailing some of its delivery mechanisms here and its takedown recovery here.
Figure 1. Malicious .doc and .xls attachment counts through January
These campaigns largely targeted the manufacturing, telecommunications, and financial services sectors, as seen in Figure 2.
Figure 2. Targeted industries
In addition, the campaigns mostly targeted the United States and United Kingdom, as seen in Figure 3.
Figure 3: Targeted countries
Here are quick summaries and indicators for some of the prominent campaigns.
British Gas account spam, week of January 11
Figure 4. British Gas themed spam message
British Gas - A/c No. 602131633 - New Account
GET /l9k7hg4/b4387kfd.exe HTTP/1.1
Telephone bill themed spam, week of January 18
Figure 5. Telephone bill themed spam message
The Billing Team <firstname.lastname@example.org>
Your Telephone Bill Invoices & Reports
GET /8h75f56f/34qwj9kk.exe HTTP/1.1
New Order spam, week of January 25
Figure 6. New Order-themed spam message
· GET /4f4f/7u65j5hg.exe HTTP/1.1
· GET /54t4f4f/7u65j5hg.exe HTTP/1.1
The Dridex operators may have taken a break after Christmas, but soon after the New Year they ramped up their activities and resumed their operations as usual. It is important for organizations to remain vigilant with user education, proactive detection technologies and security policies that help prevent cybersecurity threats.
Thanks to Joonho Sa for contributing to this research.