Security Experts:

Connect with us

Hi, what are you looking for?



Multiple Banking Trojans Assault Users in Canada

Multiple banking Trojans were observed over the past couple of months focusing on users in Canada as part of campaigns of higher volume and broader diversity, Proofpoint researchers warn.

Multiple banking Trojans were observed over the past couple of months focusing on users in Canada as part of campaigns of higher volume and broader diversity, Proofpoint researchers warn.

The security company explains that numerous threat actors appear to have switched focus to Canada over a short period of time, and that the analyzed campaigns ranged from dozens of messages to tens of thousands. While most of these campaigns used malicious Word documents to install the banking Trojans onto victims’ PCs, malicious URLs pointing to malware were also spotted.

Canadian users have been targeted by similar email-based malware and phishing campaigns in the past, but researchers say that they appear to be intensifying lately. What’s more, the malicious payloads in these spam runs are a variety of banking Trojans, specifically designed to steal money from the individuals or businesses affected by this type of malware.

Proofpoint has observed six different banking Trojan families targeting customers of Canadian financial institutions, namely Dridex, Vawtrak, Kronos, Zeus, Gootkit, and Ursnif. When deployed, these Trojans are configured to work with specific banks, which also allows researchers to determine country-specific targets and the location of victims.

Attackers used various tactics to deliver their malicious payloads to unsuspecting users, including malicious macros and object linking and embedding (OLE) objects in Office documents, as well as links in spam emails, researchers say.

The first campaign was observed on May 17, relying on a fake Microsoft security alert social engineering lure to trick victims into clicking on a link that would take them to the executable download. As soon as the victim would launch the malicious payload, their machine would be infected with Kronos, a banking Trojan spotted for the first time two years ago. According to Proofpoint, this malware variant was specifically configured to target customers of US, Canadian, and Australian financial institutions.

Seen on June 6, the second campaign was using a document attachment posing as a Canada Post failed delivery notice, but which contained malicious macros that, once enabled, would download and install Dridex botnet 220. The spam run occurred while the Necurs botnet was down, while the Dridex instance used in it was configured to target various Canadian financial sites (Dridex was focusing on US only a couple of months ago).

A Gootkit campaign was observed on June 26, using a document with OLE objects and hiding JavaScript downloaders as a Microsoft Excel spreadsheet and a photo. When the user launches the alleged spreadsheet or photo, the JavaScript runs and the Gootkit payload is fetched. According to researchers, the Trojan variant in this campaign was configured to target Canadian and German financial sites.

Only two days ago, Proofpoint spotted another campaign, which uses a fake UPS proof of delivery document with malicious macros meant to download Vawtrak Project 21. Attackers use well-known brand names and stolen logos to trick users into believing the received message and attachment are legitimate. The Vawtrak variant in this campaign was configured to target Canadian and UK financial sites.

What Proofpoint researchers underline is the fact that, although banking Trojans were seen targeting Canada before, there has been a spike in infection campaigns, as well as in the number of malware variants focused on users in this country. Banking Trojans, however, are global threats, and organizations and individuals should avoid opening attachments or links coming from unknown sources, and should also configure their online banking accounts with maximum security settings.

“Organizations should also invest in appropriate security technologies to protect their employees from falling prey to these attacks. Businesses are particularly at risk because their bank accounts typically contain much larger amounts of money and are therefore a higher-priority target for attackers. Larger employee pools also increase the odds of a successful infection,” Proofpoint says.

Related: Carberp Successor Bolek Banking Trojan Emerges

Related: “Marcher” Banking Trojan Targets Over 60 Organizations

Written By

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.