An Orthodox Holiday For Some Unorthodox Actors

January 14, 2016
Christopher Dawson

Not surprisingly, Dridex activity basically ceased in September 2015 after the arrest of one of the key cybercriminals behind the banking Trojan. In its place, we observed an uptick of Vawtrak and CryptoWall, just as Dridex seemed to fill the vacuum left after the Zeus takedown. However, Dridex was back with a vengeance in October and barely missed a beat after the FBI and others reported a mid-October takedown. In fact, Dridex-bearing spam volumes were higher than ever, as the graph of Dridex message volumes from August through December 2015 shows below:

Figure 1: Dridex message volumes for August-December 2015

Dridex has been at the top of the malware heap since it reemerged in October. Proofpoint has observed especially high volumes in early- to mid-December and some campaigns were active right up through December 24th

The biggest actors appeared to take a break through the end of the year but, instead of relaunching their attacks when their primary targets in the US, UK, and France went back to work on January 4th as might have been expected, most did not start spinning up their operations until the 7th or 8th. By January 13th, we began observing the very high message volumes from the top Dridex actors that we had come to expect before the holidays.

For example, one of the top actors Proofpoint researchers have observed distributing both Dridex and Shifu from multiple botnets was completely inactive from December 24th through January 10th. January 11th marked the beginning of test drops and volume had returned to pre-holiday levels by the 13th (Fig. 2).

Figure 2: Dridex activity from one of the top observed actors during the last 30 days

In the absence of new takedowns or other law enforcement action, what could be the cause of the extended lull in Dridex activity? Because most of these actors reside in Russia and Eastern Europe where Christmas and New Year’s are celebrated according to the Julian calendar used by the Russian Orthodox Church. Under the Julian calendar, Christmas occurs on January 7th and the new year begins on January 14th. The week leading up to the Orthodox Christmas is celebrated as a New Year’s Holiday week, and even the top Dridex actors join in and take a break.

Other threat actors began their test drops the week of the 4th but clearly were not engaged in full-blown campaigns as message stats for the actor below show:

Figure 3: Earlier but still limited Dridex activity from another top actor during the last 30 days

This trend was most pronounced for Dridex given the very high message volumes observed, but was certainly not unique to this particular bit of malware. Proofpoint also observed Orthodox holiday-related breaks in other malware families traditionally associated with Russian actors. A top Vawtrak actor, for example was completely inactive until the 11th (Fig. 4).

Figure 4: Vawtrak distribution activity over the year-end holidays

Gootkit-bearing spam also took an extended holiday while campaigns of unsolicited messages directing users to websites infected with the Angler exploit kit did not pick back up until this week (Fig. 5). 

Figure 5: Angler gets a holiday too

While seasonal and weekly variations in spam message volume are very common, Dridex-related volumes were so high (somewhat ironically) following the FBI takedown in October that any extended break was enough to raise eyebrows. It looks as though the holiday is over for our top actors in Russia and Eastern Europe and, along with it, so ends our brief respite from Dridex campaigns.