Between January to May 2019, financially motivated cybercriminals targeted numerous Canadian companies and services with thousands of malicious email campaigns containing distinct types of malware.
While these email campaigns are usually initiated by financially-motivated cybercriminals, they may also be arranged and executed by state
“Banking Trojan and the Emotet botnet lead the pack, creating risks for organizations and individuals with compelling lures and carefully crafted social engineering,” said Proofpoint researchers. “Top affected industries in Canada include financial services, energy/utilities, manufacturing, healthcare, and technology.”
Below is a list of high-risk malware payloads that are currently targeting Canada’s businesses, notably banking and financial services.
Emotet is a general-purpose malware that developed from a notorious banking trojan called Cridex which was initially uncovered in 2014. Initially intended for Western European financial services, Emotet has expanded into a powerful universal botnet containing various modules providing it many features, such as spamming, email logging, information stealing, bank fraud, downloading, and DDoS.
In 2019, Emotet was involved in various high-volume campaigns that distributed tens of millions of messages across numerous nations such as Canada.
TA542 is the principal threat actor behind the Emotet malware who was accountable for targeting most of the Canadian companies.
“The messages were sent with attached malicious Microsoft Word documents and/or URLs that linked to malicious documents,” researchers indicated. “The Word documents contained macros that, when enabled, installed an instance of Emotet. In this particular campaign, TA542 also spoofed Amazon invoices, which included links to malicious Word documents.”
Another prevalent cyber threat perceived particularly targeting Canadian companies is Ursnif, a trojan that may be deployed to steal data from customers of online banking websites. The malware may steal data such as stored passwords as well as download updates, modules, or other malware on victim PCs.
“There are now multiple variants of Ursnif in the wild, following the release of an earlier version’s source code (version 2.13.241). Variants include
IcedID is a banking Trojan that was initially noticed to be circulating in April 2017. Nonetheless, the malware has been disseminated internationally in various campaigns by other unrelated threat actors aimed toward companies including those in Canada and Italy.
Between January and May, researchers observed various IcedID affiliates emerging to target Canadian corporations at higher rates than other places.
Trickbot, also known as “The Trick,” is another notorious modular banking Trojan. The primary bot permits consistent infections, downloading supplementary modules, loading affiliate payloads, and loading malware updates.
In the beginning, Trickbot will try to turn off any anti-virus associated services by misusing PowerShell.
Unsurprisingly, the notoriousness of the
The malware encrypts victims’ files and leaves a ransom note in every directory of the victim system’s hard disk.
The ransom note dropped by GandCrab directs the victim to go to a payment portal that is found on a dark web site for purposes of paying the ransom.
“While ransomware is now relatively rare in email,
DanaBot is a banking Trojan that was discovered to be mainly targeting Canada with “Canada Post” themed baits between January and May 2019.
FormBook is a browser form stealer and keylogger that was seen in campaigns targeting Canadian businesses.
“This malware is notable in its use of ‘decoy domains’ in its command and control (C&C) communications; typically it will connect to 15 randomly selected domains, one of which is replaced by the correct C&C,” researchers stated.
Dridex is a banking Trojan that aims to steal personal banking information and credentials for social media sites and webmail. It has been observed in many campaigns targeting Canadian services.
Originally discovered in November 2014, Dridex has been involved in various phishing attacks against financial and accounting businesses.
Dridex is deemed to be a replacement of Cridex, a banking Trojan perceived to be alike.
The malware is sold as a service to other cybercriminals and is distributed in numerous ways, including email attachments of Microsoft Word documents, spammed URLs leading to zipped executables, and exploit kits.