ThreatList: Top 8 Threat Actors Targeting Canada in 2019 | Threatpost

Banking and financial services in Canada are being targeted in geo-specific attacks looking to spread varying forms of malware, according to researchers tracking thousands of malicious email campaigns between January 2019 to May 2019.

In particular, campaigns are typically launched by financially-motivated cybercriminals, but can also be orchestrated by national, state-sponsored threat actors (such as Advanced Persistent Threat or APT groups), said researchers with Proofpoint.

“In 2019, threats specific to Canadian interests, whether abusing Canadian brands, or affecting Canadian organizations through specific geo-targeting mean that defenders at Canadian companies must be cognizant of threats far more targeted than ‘North America,’” researchers said.

“Banking Trojan and the Emotet botnet lead the pack, creating risks for organizations and individuals with compelling lures and carefully crafted social engineering,” said researchers. “While Canada-targeted threats are not new, Emotet in particular, with its frequent region-specific email campaigns, is bringing new attention to geo-targeting in Canada and beyond.”

Below are eight of the most high-risk malware payloads targeting Canada right now, according to researchers.

TA542, the primary actor behind the Emotet trojan, was responsible for targeting the majority of Canadian organizations, researchers said. Interestingly, TA542 sends malicious mail that is specific to given regions.

Emotet, which first burst into the scene in 2014 as a banking trojan, has transformed into a more general-purpose malware with several modules giving it multiple capabilities, including spamming, email logging, information stealing, bank fraud, downloading, and DDoS.

Specifically in 2019, Emotet was seen in several high-volume campaigns distributing tens of millions of messages across several countries, including Canada.

“The messages were sent with attached malicious Microsoft Word documents and/or URLs that linked to malicious documents,” researchers said. “The Word documents contained macros that, when enabled, installed an instance of Emotet. In this particular campaign, TA542 also spoofed Amazon invoices, which included links to malicious Word documents.”

Another common threat seen specifically targeting Canadian organizations is Ursnif, a trojan with capabilities of stealing data from online banking website users. The malware, which was recently seen in a recent January campaign, looks to steal data such as stored passwords as well as download updates, modules, or other malware on victim PCs.

“There are now multiple variants of Ursnif in the wild, following the release of an earlier version’s source code (version 2.13.241). Variants include Dreambot, Gozi ISFB, and Papras,” researchers said.

Between January and May, researchers saw several IcedID affiliates appearing to target Canadian firms at higher rates than other locations. IcedID is a banking Trojan that was originally observed being distributed in April 2017 – but since then, the malware has continued to pop up in several campaigns, including several that are targeted toward Canadian companies.

“Since then, it has also been distributed by other unaffiliated actors,” researchers said. “IcedID is international in scope and affects countries including the US, Canada, Italy, and others.”

Trickbot, aka “The Trick,” is another well-known modular banking Trojan. The malware recently resurfaced in February with an updated info-stealing module that allows it to harvest remote desktop application credentials – and an eye on Canadian victims.

“The main bot enables persistent infections, downloading of additional modules, loading affiliate payloads, and loading updates for the malware,” said researchers. “The Trick initially will attempt to disable any antivirus-related services by abusing PowerShell.”

With the popularity of the GandCrab ransomware, it may come as no surprise that this malware has also been spotted targeting Canadian victims.

The ransomware encrypts victims’ files and drops a ransom note in each directory of the client machine’s hard disk.

“This malware appears to be shared among threat actors using an affiliate business model and is deployed via malicious advertising and malicious email attachments,” researchers said. “While ransomware is now relatively rare in email, GandCrab has consistently appeared in email campaigns this year.”

The DanaBot banking Trojan was spotted specifically targeting Canada with “Canada Post” themed lures between January 1 and May 1, 2019.

DanaBot, which was discovered in May 2018 targeting users in Australia via emails containing malicious URLs, includes banking site web injections and stealer functions. The trojan has also recently been seen in a phishing email scam campaign targeting potential victims with fake invoices from software company MYOB.

FormBook, a browser form stealer and keylogger that is under active development, was also spotted in campaigns targeting Canadian firms. The malware has been active for years, and in fact was spotted last year in a wave of attacks targeting financial and information service sectors in the Middle East and United States.

“This malware is notable in its use of ‘decoy domains’ in its command and control (C&C) communications; typically it will connect to 15 randomly selected domains, one of which is replaced by the correct C&C,” researchers said.


Dridex, a banking Trojan targeting personal banking information and credentials for other sites  (such as social media platforms and webmail), has been seen in several campaigns targeting Canadian based firms.

First spotted in November 2014, Dridex has been seen in several subsequent phishing attacks against financial and accounting services. The malware, which is sold as a service to malicious actors, is delivered via several methods, including via emailed Microsoft Word doc attachments, spammed URLs leading to zipped executables, and exploit kits.

Want to know more about Identity Management and navigating the shift beyond passwords? Don’t miss our Threatpost webinar on May 29 at 2 p.m. ET. Join Threatpost editor Tom Spring and a panel of experts as they discuss how cloud, mobility and digital transformation are accelerating the adoption of new Identity Management solutions. Experts discuss the impact of millions of new digital devices (and things) requesting access to managed networks and the challenges that follow.