Connect with us

Hi, what are you looking for?



Multiple Banking Trojans Assault Users in Canada

Multiple banking Trojans were observed over the past couple of months focusing on users in Canada as part of campaigns of higher volume and broader diversity, Proofpoint researchers warn.

Multiple banking Trojans were observed over the past couple of months focusing on users in Canada as part of campaigns of higher volume and broader diversity, Proofpoint researchers warn.

The security company explains that numerous threat actors appear to have switched focus to Canada over a short period of time, and that the analyzed campaigns ranged from dozens of messages to tens of thousands. While most of these campaigns used malicious Word documents to install the banking Trojans onto victims’ PCs, malicious URLs pointing to malware were also spotted.

Canadian users have been targeted by similar email-based malware and phishing campaigns in the past, but researchers say that they appear to be intensifying lately. What’s more, the malicious payloads in these spam runs are a variety of banking Trojans, specifically designed to steal money from the individuals or businesses affected by this type of malware.

Proofpoint has observed six different banking Trojan families targeting customers of Canadian financial institutions, namely Dridex, Vawtrak, Kronos, Zeus, Gootkit, and Ursnif. When deployed, these Trojans are configured to work with specific banks, which also allows researchers to determine country-specific targets and the location of victims.

Attackers used various tactics to deliver their malicious payloads to unsuspecting users, including malicious macros and object linking and embedding (OLE) objects in Office documents, as well as links in spam emails, researchers say.

The first campaign was observed on May 17, relying on a fake Microsoft security alert social engineering lure to trick victims into clicking on a link that would take them to the executable download. As soon as the victim would launch the malicious payload, their machine would be infected with Kronos, a banking Trojan spotted for the first time two years ago. According to Proofpoint, this malware variant was specifically configured to target customers of US, Canadian, and Australian financial institutions.

Seen on June 6, the second campaign was using a document attachment posing as a Canada Post failed delivery notice, but which contained malicious macros that, once enabled, would download and install Dridex botnet 220. The spam run occurred while the Necurs botnet was down, while the Dridex instance used in it was configured to target various Canadian financial sites (Dridex was focusing on US only a couple of months ago).

Advertisement. Scroll to continue reading.

A Gootkit campaign was observed on June 26, using a document with OLE objects and hiding JavaScript downloaders as a Microsoft Excel spreadsheet and a photo. When the user launches the alleged spreadsheet or photo, the JavaScript runs and the Gootkit payload is fetched. According to researchers, the Trojan variant in this campaign was configured to target Canadian and German financial sites.

Only two days ago, Proofpoint spotted another campaign, which uses a fake UPS proof of delivery document with malicious macros meant to download Vawtrak Project 21. Attackers use well-known brand names and stolen logos to trick users into believing the received message and attachment are legitimate. The Vawtrak variant in this campaign was configured to target Canadian and UK financial sites.

What Proofpoint researchers underline is the fact that, although banking Trojans were seen targeting Canada before, there has been a spike in infection campaigns, as well as in the number of malware variants focused on users in this country. Banking Trojans, however, are global threats, and organizations and individuals should avoid opening attachments or links coming from unknown sources, and should also configure their online banking accounts with maximum security settings.

“Organizations should also invest in appropriate security technologies to protect their employees from falling prey to these attacks. Businesses are particularly at risk because their bank accounts typically contain much larger amounts of money and are therefore a higher-priority target for attackers. Larger employee pools also increase the odds of a successful infection,” Proofpoint says.

Related: Carberp Successor Bolek Banking Trojan Emerges

Related: “Marcher” Banking Trojan Targets Over 60 Organizations

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...