Banking Trojans go loonie for toonies: Dridex, Vawtrak and others increase focus on Canada

June 29, 2016
Proofpoint Staff

Overview

Threat actors are known to switch targeted geographies from time to time, and it appears that a number have set their sights on Canada within a short time-frame. In the past couple of months Proofpoint has observed a number of campaigns targeting Canadian online banking users varying in scale between dozens of messages across a small subset of our customers to tens of thousands of messages seen more broadly. These campaigns have primarily been using malicious Microsoft Word documents to install banking Trojans on victims' PCs, but we have also seen campaigns use links leading to malware as well.

While it is not uncommon to see email-based malware and phishing campaigns targeting Canadian residents and businesses, the volume and diversity of these campaigns seem to be increasing. The malicious payloads we have been observing include all types of banking Trojans, malware specifically designed to steal funds from online banking users. An individual or business infected with this malware are likely to have (potentially large) amounts of money stolen from their bank accounts if they log in to their online banking system while the malware is active. When deployed, banking Trojans must be configured to work with specific banks, allowing us to detect country-specific targeting based on these configurations as well as the location of businesses receiving malicious emails used to distribute the Trojans.

In particular, we have observed six different banking Trojan families, including Ursnif, Dridex, Kronos, Zeus, Gootkit, and Vawtrak, all targeting customers of Canadian financial institutions. Dridex alone has been tied to at least $40 million in losses in the US and UK [1].

 

Analysis

The spam messages we observed used several different tactics to deliver malicious payloads to users, including macros, packager shell objects (aka OLE objects), and links.

The first example, a campaign observed on May 17, 2016, uses a fake Microsoft security alert social engineering lure to trick the victim into opening a link that leads to an executable download. The user would have to then open the downloaded executable in order to infect their computer. In this case the payload was Kronos, a banking Trojan which was introduced in July of 2014 [1]. This instance of Kronos was configured to target US, Canadian, and Australian financial sites.

dridex-vawtrak-ca-1.png

Figure 1: Fake “security alert” email with a link leading to the Kronos installer

The second example, a campaign observed on June 6, 2016, uses a document attachment posing as a Canada Post failed delivery notice and contains macros that, if enabled, download and install Dridex botnet 220. Notably, this campaign was not sent out by the Necurs botnet and occurred during the recent Necurs botnet outage [3]. At this time, Dridex 220 was configured to target a variety of Canadian financial sites.

dridex-vawtrak-ca-2.png

Figure 2: Fake Canada Post document with malicious macro leading to Dridex

The third example, a campaign observed on June 26, 2016, uses a document with packager shell objects [4] posing as a Microsoft Excel spreadsheet and a photo, but which are, in fact, JavaScript downloaders. Double-clicking on either object runs the JavaScript which would then download the Gootkit payload [5]. This instance of Gootkit is configured to target Canadian and German financial sites.

dridex-vawtrak-ca-3.png

Figure 3: Document used to deliver Gootkit

The fourth example, a campaign observed on June 28, 2016, uses a fake UPS proof of delivery (including stolen branding) document which contains macros that, if enabled, would download Vawtrak [6] Project 21. Like the examples in Figure 1 and 2 above, the lure leverages well-known brand names and stolen logos to create an air of legitimacy that will trick a user into running the malicious content. This Vawtrak project is configured to target primarily Canadian financial sites, but also includes targeting for UK sites.

dridex-vawtrak-ca-4.png

Figure 4: Fake delivery notification with stolen branding used to deliver Vawtrak Project 21

 

Conclusion

Banking Trojans have been circulating for the better part of the last decade. Canada has hardly been immune to these types of malware, but recently we have observed an increase in campaigns and banking Trojan variants targeting Canadian interests.Regardless of their geographic location, organizations and individuals can take several steps to prevent infection and financial losses:

  • Be vigilant when reading email messages that contain links or attachments. All of the campaigns described here relied on social engineering to trick users into infecting themselves with malware, even though their systems would have likely presented security warnings when they opened malicious files.
  • Never enable macros in documents that arrive via email or download and run executables linked from an email message unless you are absolutely certain the message is authentic.
  • Configure online banking accounts with maximum security settings. For example, enabling two-factor authentication and notifications or confirmation for any money transfers can often prevent losses even if a system is infected.
  • Organizations should also invest in appropriate security technologies to protect their employees from falling prey to these attacks. Businesses are particularly at risk because their bank accounts typically contain much larger amounts of money and are therefore a higher-priority target for attackers. Larger employee pools also increase the odds of a successful infection.

A double-double of user education and advanced threat security solutions can help Canadian organizations prevent both infection and financial losses related to banking Trojans and other malware.

 

References

[1] http://www.tripwire.com/state-of-security/latest-security-news/dridex-p2p-malware-nets-cybercriminals-40-million/

[2] http://securityintelligence.com/the-father-of-zeus-kronos-malware-discovered/

[3] https://www.proofpoint.com/us/threat-insight/post/necurs-botnet-outage-crimps-dridex-and-locky-distribution

[4] https://blogs.technet.microsoft.com/mmpc/2016/06/14/wheres-the-macro-malware-author-are-now-using-ole-embedding-to-deliver-malicious-files/

[5] https://www.proofpoint.com/us/threat-insight/post/gootkit-banking-trojan-jumps-channel

[6] https://www.proofpoint.com/us/threat-insight/post/In-The-Shadows

 

Indicators of Compromise (IOC)

IOC

IOC Type

Description

c3fa5ae8e337e64154e96be03c82d22415068d9dbf8c188395f1a6cf777fa685

SHA256

Zeus Variant

fdbb6eba309812aeeb45fb6f0e103e80787975e2f6f8be2d41d95a44cf736707

SHA256

Document delivering the Zeus Variant

4cdbdd12d5270098d04e016912c0137ba37d95a234f6cc9091029ef407e8a193

SHA256

Vawtrak Project 21

aef39a4e0a5b5724dec5e65a7479cae711b65d21080e0de15c1235ff2951fa2b

SHA256

Document delivering Vawtrak Project 21

b83f945c923b888a597fb7f1db205515cc3bb140bfcb2140a09b8595e5384e99

SHA256

Ursnif 1200

dafb4379504581c43c8fb0bf3c1724dc205e99599df5d03326eff9aa2f5e84ab

SHA256

Document leading to download of Ursnif 1200

d945dcd6e3c1e3bff7536d5cf099780d9fdc7ad9efa31752e7b287dce66b194b

SHA256

Ursnif 2003

53836f902e441f2c0981ffdba44f2e013d31c3da2d38bd26e68b0bebf10ea5ea

SHA256

Document leading to download of Ursnif 2003

5cf89991284ffde6be3484be9f8f889b6d2e9cc3e251e21ef62ef2a06034c90b

SHA256

Gootkit

9fe4292df260f4fac94f27154336a02fb45b5e8d8de31e60658c6c9bede9a9b8

SHA256

Document delivering Gootkit

0716a093c36f7d9b592cd294c4d2761c39af3251d6feca167ebde18758222e2e

SHA256

Dridex Botnet 220

ad15d77430405baaf10424f895d91314d2272d28bd7d38aa84260ae57339342c

SHA256

Document delivering Dridex 220

ae03cca0f7062bab07f50b02a0deecc5df6388b9e764ddc4439fbbcee72a4996

SHA256

Kronos

[hxxp://83.149.126[.]163/en-us/download/EVA-051616.EXE]

URL

URL leading to download of Kronos