The Malware Holiday Ends—Welcome Back Geodo and Chanitor
Even cybercriminals knock off for the holidays. Then in January, it’s back to work. We all have bills to pay.
This past holiday season, including the Russian Orthodox Christmas which fell on January 7, threat actors cooled their heels and malware campaigns dipped. But with the holidays over, threat actors are back in action. Chanitor malware campaigns are spiking, at even higher levels than a year ago, and Geodo/Emotet campaigns have been surging too.
Chanitor and Geodo/Emotet are used to install malicious payloads like banking trojans on infected machines. Cofense IntelligenceTM has closely monitored both—learn more about our human-vetted phishing threat intelligence.
Cofense Intelligence has observed a resurgence of Geodo/Emotet and Chanitor/Hancitor after the customary Christmas lull. Geodo has been seen pairing up with IcedID, while Chanitor has been delivering Ursnif, forsaking its traditional accomplices DELoader and Zeus Panda. Consistent patterns of activity throughout January 2018 and January 2019 demonstrate how threat actors likely work similar schedules to the majority of their region’s workforce.
It is no secret that overall phishing activity drops off just prior to Western Christmas on December 25 and picks up again shortly after Russian Orthodox Christmas, which this year was January 7, as observed on the Gregorian calendar (December 25 on the Julian calendar). The reason for this downturn in activity may be as simple as Eastern European and Russian threat actors observing the holidays and taking some time off. Indeed, modern cybercrime rings increasingly emulate classic businesses, so ‘company’-mandated time-off may be a possibility.
The Chanitor’s New Clothes
Following a lull in major malware family distributions, Chanitor and Geodo both resurged in January of 2018 and 2019, respectively, serving as excellent benchmarks for threat actor activity surrounding the holiday season. In 2019, campaigns delivering Chanitor appear to be continuing a relatively new trend: Chanitor’s delivery of Ursnif. Across the last 100 campaigns involving Chanitor, as observed by Cofense Intelligence, 94 delivered Pony and 69 of those subsequently delivered either Zeus Panda or DELoader (a Zeus derivative). Around the end of last October, Chanitor was observed serving Ursnif as part of its infection chain. This trend appears to be continuing in 2019, with the first campaign again serving Ursnif as well as a pair of Pony stealers. Figure 1 details the Chanitor campaigns observed, directly, by Cofense Intelligence.
Figure 1: Chanitor’s familial distribution patterns throughout 2018
January Trends: 2018 vs 2019
January 2018 saw an overall flatter distribution of campaigns as compared to 2019, despite seeing a far larger variety of malware combinations. In comparison, this year so far has been characterized by a distinct upturn in campaign volumes from January 10, after a single-day spike on January 7. The graphics below convey these trends and compare the malware families and phenotypes observed during the past two Januarys.
Figure 2: Campaigns observed during January 2018
Figure 3: Campaigns observed during January 2019
Malware: January 2018 vs 2019
Figure 4: Malware observed during January 2018
Figure 5: Malware observed during January 2019
Phenotypes: 2018 vs 2019
Figure 6: Phenotype distribution during January 2018
Figure 7: Phenotype distribution during January 2019
What Holiday Schedules Tell Us about Threat Actors
Malware actors tend to follow distinct regional and global trends, but this does not align simply to when these actors do and do not work. It means sophisticated actors seek to maximize the effectiveness of each campaign they distribute—more “bang-for-their-buck,” as it were. Despite that, following the holiday season an immediately obvious spike in campaign volumes can be observed, suggesting the actors work according to defined schedules. Strategic threat actors almost certainly have several priorities that dictate the distribution models, templates, and payloads they may employ, with the aim of:
- Only exposing critical infrastructure as long as is strictly necessary.
- Beginning campaigns only when a target demographic is most likely to receive emails early in the campaign cycle (that is, before the infrastructure is identified and nullified).
- Employing narratives that fit culturally and temporally with the target demographic. Current events, holidays or observances, and seasonal narratives all require consideration.
Meta-analysis of familial campaigns can provide potential clues as to the global location of threat actors. For instance, it could be inferred that a distribution pattern that has tight correlation with specific regional holidays is indicative of the source being in or from that region.
To keep up with the latest phishing and malware threats, sign up for free Cofense Threat Alerts.
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.