The emails were customized for either Canadian organizations or a more general Canadian audience, a May 23 blog post said. One feature included in these malicious emails is the use of fraudulent branding from notable Canadian companies, researchers said. Malicious actors are also leveraging “French-language lures and geo-targeted imposter attacks for ensnaring corporate credentials and banking info.”
Historically Canada is included in threats targeting the entire North American region, though most of these threats are typically focused on the US. Based on prior activity, researchers observed these campaigns believed to be the work of the advanced persistent threat (APT) group TA542.
“Much of this is due to Emotet. TA542, the primary actor behind Emotet, is known for the development of lures and malicious mail specific to given regions. However, we also saw customization ranging from French-language lures to brand abuse from a number of actors geo-targeting Canada,” according to the blog post.
Threat actors are also leveraging Ursnif, an information-stealing Trojan used largely to compromise online banking websites. In addition to Emotet and Ursnif, researchers are tracking activity involving other malware strains known as IcedID, The Trick, GandCrab, Danabot, Formbook and Dridex.
When it first appeared back in 2014, Emotet was mostly seen targeting Western European banks. In these more recent campaigns, “Proofpoint researchers observed stolen branding from several notable Canadian companies and agencies including major shipping and logistics organizations, national banks, and large government agencies. Top affected industries in Canada include financial services, energy/utilities, manufacturing, healthcare, and technology.”
Researchers warned that while these ubiquitous phishing attacks and business email compromises (BECs) may be targeting Canada in this particular campaign, “other forms of imposter attacks remain ongoing threats, both internationally and in Canada.”