Oh Canada! – Canucks under attack in the latest wave of banking Trojan scams

Canadian online users appear to be the current target of the latest wave of email-based phishing campaigns used to deliver banking malware.

Canadian online banking users appear to be the current target of the latest wave of email-based phishing campaigns.

While Canada hasn’t been exempt from banking malware attacks in the past, it appears that there has been a marked increase in the frequency, diversity, and scale, pointing to a present focus on Canadian users.

The exploits families in use have come from six different variants of banking Trojan, which include Zeus, Dridex, Kronos, Ursnif, Vawtrak and Gootkit.

Malicious links within fake emails and infected word documents with malicious macros and OLE objects appear to be the primary delivery method.

Security vendor Proofpoint reported a number of specific attack methods over the last few months which used various social engineering techniques within emails, luring unsuspecting users into downloading and running malicious payloads under the guise of Microsoft security updates or fake UPS and Canada Post delivery notes.

The analysis highlighted the following four examples.

The first in the selection appeared on May the 17^th of this year and used a fake Microsoft security alert, pointing users to a link containing an executable – Kronos.

This instance of Kronos was configured to target Canadian, Australian and US financial organisations

Screenshot of the fake MS security update linking to Kronos banking trojan

The second example appeared on June 6^th and appeared as a Canada Post delivery notice. The malicious payload in this instance was actually discovered to be Dridex botnet 220 packaged with malicious macros and was configured to attack various Canadian financial sites.

The fake Canada Post failed delivery note

On June 26^th malicious attachments were sent as in the guise of a photo and a Microsoft Excel file, located within a Microsoft Word document with the file name ‘notice.docx’. The links led to JavaScript downloaders, which pulled down Gootkit as their payload. The configurations were set to specifically target Canadian and German sites.

Gootkit downloaders disguised as links within a word document

Sticking with the theme of missed deliveries to mislead Canadian netizens, the fourth example produced showed a false UPS proof of delivery notice, complete with corporate branding which contained macros that facilitated the download of Vawtrak Project 21. This particular variant was configured to target financial sites in Canada and the UK.

UPS apparently attempting to deliver malware

Banking users are being urged, especially those using Canada financial institutions, to remain ever vigilant of online threats, particularly those relying on phishing techniques via email.

As always users are reminded to be mindful of the source of the emails that user receive, especially those requesting additional actions involving external links or documents. And special attention should always be given to any attachments received via email, which encourage the acceptance of the use of Macros.

With the current methods in web technology in use today, the threat of online banking scams is something that isn’t going to go away anytime soon, however, although the attack methods themselves may vary, the techniques used for identifying and evading them follow the same principles.

Written by: Steven Boyd

Steven is a security consultant, researcher, ethical hacker and freelance writer with over 16 years of experience in the industry. He has provided security consultancy to some of the world’s biggest banks, the private sector as well as public services and defense. He is the owner and creator of security blog www.CybrViews.com.

Twitter: @CybrViews

 

 

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –banking Trojan, malware)