Cyber hacking: customized for Canada

Brokers advising their clients on cyber security will want to take note of new research that identified nearly 100 malicious email campaigns that were specifically targeted at Canadian organizations or were customized for Canadian audiences.

“Much of this is due to Emotet,” said a blog Thursday from cyber security company Proofpoint, referring to a type of general-purpose malware that is often installed via macros from malicious Word documents. “However, we also saw customization ranging from French-language lures to brand abuse from a number of actors geo-targeting Canada.”

Proofpoint researchers identified thousands of malicious email campaigns between Jan. 1 and May 1, hundreds of which were sent to Canadian organizations. Of those, nearly 100 were specifically targeted Canadian companies or were customized for Canadian audiences.

The cyber security company observed stolen branding from several notable Canadian companies and agencies, including major shipping and logistics organizations, national banks and large government agencies. Top affected industries in Canada include financial services, energy/utilities, manufacturing, healthcare and technology, said the blog Beyond “North America” – Threat actors target Canada specifically.

Banking Trojans (malicious programs that attempt to obtain confidential information) and the Emotet botnet lead the pack for Canadian companies, “creating risks for organizations and individuals with compelling lures and carefully crafted social engineering,” the blog said. “While Canada-targeted threats are not new, Emotet in particular, with its frequent region-specific email campaigns, is bringing new attention to geo-targeting in Canada and beyond.”

Emotet evolved from well-known banking Trojan Cridex, which was first discovered in 2014. Originally targeting western European banks, it has since been developed into a robust global botnet that is comprised of several modules, each of which equips Emotet with different spamming, email logging, information stealing, bank fraud, downloading and distributed denial of service attacks, among others.

Emotet activity in 2019 included several high-volume campaigns that collectively distributed tens of millions of messages, primarily targeting the manufacturing and healthcare industries. The messages were sent with attached malicious Microsoft Word documents and/or URLs that linked to malicious documents. The documents contained macros that, when enabled, installed an instance of Emotet. In this particular campaign, the botnet also spoofed Amazon invoices, which included links to malicious Word documents.

Proofpoint also tracked several other malware strains with significantly smaller footprints, but which remain noteworthy threats for Canadian companies. Among them:

• IcedID – several affiliates of banking Trojan IcedID “appeared to target Canadian organizations at higher rates than other geographies”
• The Trick – a modular banking Trojan. The main bot enables persistent infections, downloading of additional modules, loading affiliate payloads and loading updates for the malware. The Trick will attempt to disable any antivirus-related services by abusing PowerShell
• DanaBot – A Trojan that includes banking site web injections and stealer functions. Proofpoint researchers observed one DanaBot affiliate specifically targeting Canada with Canada Post-themed lures between Jan. 1 and May 1, 2019.