Despite the fact that Canada hasn’t been exempt from banking malware attacks before, there has been a marked increase in the frequency, diversity, and scale, pointing to a present focus on Canadian users.
The exploits families in use have come from six different variants of banking Trojan, which include Dridex, Zeus, Kronos, Vawtrak, Gootkit and Ursnif.
It appears that the fake emails containing malicious links and infected word documents with malicious macros and OLE objects, are the primary method for delivering the infection.
During the past few months, the Proofpoint security experts revealed a number of specific attack methods, which used various social engineering techniques. These included emails, luring unsuspecting users into downloading and running malicious payloads under the guise of Microsoft security updates or fake UPS and Canada Post delivery notes.
The first one came on May 17, 2016 and used a fake Microsoft security alert, pointing users to a link containing an executable – Kronos. The instance of Kronos was configured to target Canadian, Australian and US financial organisations.
The second one came on June 6 and appeared as a Canada Post delivery notice. In this case, the malicious payload was discovered to be Dridex botnet 220 packaged with malicious macros and was configured to attack various Canadian financial websites.
On June 26, some malicious attachments were sent as in the guise of a photo and a Microsoft Excel file, located within a Microsoft Word document with the file name ‘notice.docx’. The links led to JavaScript downloaders, which pulled down Gootkit as their payload. The configurations were set to target Canadian and German websites.
Sticking with the theme of missed deliveries to mislead Canadian net users, the fourth example produced showed a false UPS proof of delivery notice, complete with corporate branding which contained macros that facilitated the download of Vawtrak Project 21. This particular variant was configured to target financial sites in Canada and the UK.
In any case, Canadian banking users are being advised to remain ever vigilant of online threats, especially those who rely on phishing techniques via email.
Users are reminded to be careful of the source of the emails that users receive, especially those requesting additional actions involving external links or documents. In addition, some special attention should always be given to any attachments received via email, which encourage the acceptance of the use of Macros.
