Overview
Threat actors behind banking Trojan malware are known to switch targeted geographies from time to time, and it appears that a number have set their sights on Canada within a short time-frame. In the past couple of months Proofpoint has observed a number of campaigns targeting Canadian online banking users varying in scale between dozens of messages across a small subset of our customers to tens of thousands of messages seen more broadly. These campaigns have primarily been using malicious Microsoft Word documents to install banking Trojans on victims' PCs, but we have also seen campaigns use links leading to malware as well.
While it is not uncommon to see email-based malware and phishing campaigns targeting Canadian residents and businesses, the volume and diversity of these campaigns seem to be increasing. The malicious payloads we have been observing include all types of banking Trojans, malware specifically designed to steal funds from online banking users. An individual or business infected with this malware are likely to have (potentially large) amounts of money stolen from their bank accounts if they log in to their online banking system while the malware is active. When deployed, banking Trojans must be configured to work with specific banks, allowing us to detect country-specific targeting based on these configurations as well as the location of businesses receiving malicious emails used to distribute the Trojans.
In particular, we have observed six different banking Trojan families, including Ursnif, Dridex, Kronos, Zeus, Gootkit, and Vawtrak, all targeting customers of Canadian financial institutions. The Dridex banking Trojan alone has been tied to at least $40 million in losses in the US and UK [1].
Trojan Analysis
The spam messages we observed associated with this banking Trojan malware used several different tactics to deliver malicious payloads to users, including malicious macros, packager shell objects (aka OLE objects), and links.
The first example, a campaign observed on May 17, 2016, uses a fake Microsoft security alert social engineering lure to trick the victim into opening a link that leads to an executable download. The user would have to then open the downloaded executable in order to infect their computer. In this case the payload was Kronos, a banking Trojan which was introduced in July of 2014 [1]. This instance of Kronos was configured to target US, Canadian, and Australian financial sites.
The second example, a campaign observed on June 6, 2016, uses a document attachment posing as a Canada Post failed delivery notice and contains macros that, if enabled, download and install Dridex botnet 220. Notably, this campaign was not sent out by the Necurs botnet and occurred during the recent Necurs botnet outage [3]. At this time, Dridex 220 was configured to target a variety of Canadian financial sites.
The third example, a campaign observed on June 26, 2016, uses a document with packager shell objects [4] posing as a Microsoft Excel spreadsheet and a photo, but which are, in fact, JavaScript downloaders. Double-clicking on either object runs the JavaScript which would then download the Gootkit payload [5]. This instance of Gootkit is configured to target Canadian and German financial sites.
The fourth example, a campaign observed on June 28, 2016, uses a fake UPS proof of delivery (including stolen branding) document which contains macros that, if enabled, would download Vawtrak [6] Project 21. Like the examples in Figure 1 and 2 above, the lure leverages well-known brand names and stolen logos to create an air of legitimacy that will trick a user into running the malicious attachment content. This Vawtrak project is configured to target primarily Canadian financial sites, but also includes targeting for UK sites.
Conclusion
Banking Trojans have been circulating for the better part of the last decade. Canada has hardly been immune to these types of malware, but recently we have observed an increase in campaigns and banking Trojan variants targeting Canadian interests.Regardless of their geographic location, organizations and individuals can take several steps to prevent infection and financial losses:
- Be vigilant when reading email messages that contain links or attachments. All of the campaigns described here relied on social engineering to trick users into infecting themselves with malware, even though their systems would have likely presented security warnings when they opened malicious files.
- Never enable macros in documents that arrive via email or download and run executables linked from an email message unless you are absolutely certain the message is authentic.
- Configure online banking accounts with maximum security settings. For example, enabling two-factor authentication and notifications or confirmation for any money transfers can often prevent losses even if a system is infected.
- Organizations should also invest in appropriate security technologies to protect their employees from falling prey to these attacks. Businesses are particularly at risk because their bank accounts typically contain much larger amounts of money and are therefore a higher-priority target for attackers. Larger employee pools also increase the odds of a successful infection.
A double-double of user education and advanced threat security solutions can help Canadian organizations prevent both infection and financial losses related to banking Trojans and other malware.
References
[2] http://securityintelligence.com/the-father-of-zeus-kronos-malware-discovered/
[5] https://www.proofpoint.com/us/threat-insight/post/gootkit-banking-trojan-jumps-channel
[6] https://www.proofpoint.com/us/threat-insight/post/In-The-Shadows
Indicators of Compromise (IOC)
IOC |
IOC Type |
Description |
c3fa5ae8e337e64154e96be03c82d22415068d9dbf8c188395f1a6cf777fa685 |
SHA256 |
Zeus Variant |
fdbb6eba309812aeeb45fb6f0e103e80787975e2f6f8be2d41d95a44cf736707 |
SHA256 |
Document delivering the Zeus Variant |
4cdbdd12d5270098d04e016912c0137ba37d95a234f6cc9091029ef407e8a193 |
SHA256 |
Vawtrak Project 21 |
aef39a4e0a5b5724dec5e65a7479cae711b65d21080e0de15c1235ff2951fa2b |
SHA256 |
Document delivering Vawtrak Project 21 |
b83f945c923b888a597fb7f1db205515cc3bb140bfcb2140a09b8595e5384e99 |
SHA256 |
Ursnif 1200 |
dafb4379504581c43c8fb0bf3c1724dc205e99599df5d03326eff9aa2f5e84ab |
SHA256 |
Document leading to download of Ursnif 1200 |
d945dcd6e3c1e3bff7536d5cf099780d9fdc7ad9efa31752e7b287dce66b194b |
SHA256 |
Ursnif 2003 |
53836f902e441f2c0981ffdba44f2e013d31c3da2d38bd26e68b0bebf10ea5ea |
SHA256 |
Document leading to download of Ursnif 2003 |
5cf89991284ffde6be3484be9f8f889b6d2e9cc3e251e21ef62ef2a06034c90b |
SHA256 |
Gootkit |
9fe4292df260f4fac94f27154336a02fb45b5e8d8de31e60658c6c9bede9a9b8 |
SHA256 |
Document delivering Gootkit |
0716a093c36f7d9b592cd294c4d2761c39af3251d6feca167ebde18758222e2e |
SHA256 |
Dridex Botnet 220 |
ad15d77430405baaf10424f895d91314d2272d28bd7d38aa84260ae57339342c |
SHA256 |
Document delivering Dridex 220 |
ae03cca0f7062bab07f50b02a0deecc5df6388b9e764ddc4439fbbcee72a4996 |
SHA256 |
Kronos |
[hxxp://83.149.126[.]163/en-us/download/EVA-051616.EXE] |
URL |
URL leading to download of Kronos |