Multiple banking Trojans were observed over the past couple of months focusing on users in Canada as part of campaigns of higher volume and broader diversity, Proofpoint researchers warn.
The security company explains that numerous threat actors appear to have switched focus to Canada over a short period of time, and that the analyzed campaigns ranged from dozens of messages to tens of thousands. While most of these campaigns used malicious Word documents to install the banking Trojans onto victims’ PCs, malicious URLs pointing to malware were also spotted.
Canadian users have been targeted by similar email-based malware and phishing campaigns in the past, but researchers say that they appear to be intensifying lately. What’s more, the malicious payloads in these spam runs are a variety of banking Trojans, specifically designed to steal money from the individuals or businesses affected by this type of malware.
Proofpoint has observed six different banking Trojan families targeting customers of Canadian financial institutions, namely Dridex, Vawtrak, Kronos, Zeus, Gootkit, and Ursnif. When deployed, these Trojans are configured to work with specific banks, which also allows researchers to determine country-specific targets and the location of victims.
Attackers used various tactics to deliver their malicious payloads to unsuspecting users, including malicious macros and object linking and embedding (OLE) objects in Office documents, as well as links in spam emails, researchers say.
The first campaign was observed on May 17, relying on a fake Microsoft security alert social engineering lure to trick victims into clicking on a link that would take them to the executable download. As soon as the victim would launch the malicious payload, their machine would be infected with Kronos, a banking Trojan spotted for the first time two years ago. According to Proofpoint, this malware variant was specifically configured to target customers of US, Canadian, and Australian financial institutions.
Seen on June 6, the second campaign was using a document attachment posing as a Canada Post failed delivery notice, but which contained malicious macros that, once enabled, would download and install Dridex botnet 220. The spam run occurred while the Necurs botnet was down, while the Dridex instance used in it was configured to target various Canadian financial sites (Dridex was focusing on US only a couple of months ago).
A Gootkit campaign was observed on June 26, using a document with OLE objects and hiding JavaScript downloaders as a Microsoft Excel spreadsheet and a photo. When the user launches the alleged spreadsheet or photo, the JavaScript runs and the Gootkit payload is fetched. According to researchers, the Trojan variant in this campaign was configured to target Canadian and German financial sites.
Only two days ago, Proofpoint spotted another campaign, which uses a fake UPS proof of delivery document with malicious macros meant to download Vawtrak Project 21. Attackers use well-known brand names and stolen logos to trick users into believing the received message and attachment are legitimate. The Vawtrak variant in this campaign was configured to target Canadian and UK financial sites.
What Proofpoint researchers underline is the fact that, although banking Trojans were seen targeting Canada before, there has been a spike in infection campaigns, as well as in the number of malware variants focused on users in this country. Banking Trojans, however, are global threats, and organizations and individuals should avoid opening attachments or links coming from unknown sources, and should also configure their online banking accounts with maximum security settings.
“Organizations should also invest in appropriate security technologies to protect their employees from falling prey to these attacks. Businesses are particularly at risk because their bank accounts typically contain much larger amounts of money and are therefore a higher-priority target for attackers. Larger employee pools also increase the odds of a successful infection,” Proofpoint says.
Related: Carberp Successor Bolek Banking Trojan Emerges
Related: “Marcher” Banking Trojan Targets Over 60 Organizations