Between January 1, 2019, to May 1, 2019, threat actors conducted thousands of malicious email campaigns, hundreds of which were sent to Canadian organizations. While discussions of threats in this region often focus on “North America” generally or just the United States, nearly 100 campaigns during this period were either specifically targeted at Canadian organizations or were customized for Canadian audiences. Much of this is due to Emotet. TA542, the primary actor behind Emotet, is known for the development of lures and malicious mail specific to given regions. However, we also saw customization ranging from French-language lures to brand abuse from a number of actors geo-targeting Canada.
In these campaigns, Proofpoint researchers observed stolen branding from several notable Canadian companies and agencies including major shipping and logistics organizations, national banks, and large government agencies. Top affected industries in Canada include financial services, energy/utilities, manufacturing, healthcare, and technology.
In addition to campaigns that are specifically geo-targeted at Canada, we frequently observe Canadian organizations being affected by global or multinational campaigns. These campaigns are typically sent by financially motivated cybercriminals, but can also be orchestrated/sent by national, state-sponsored threat actors known as Advanced Persistent Threats (APT). Overall, the majority of malware being distributed to Canadian customers affects banking and financial services most directly.
Below is a brief of high-risk malware payloads that frequently impact Canadian interests.
Emotet is a type of general-purpose malware that evolved from a well-known banking Trojan, “Cridex”, which was first discovered in 2014. Originally targeting Western European banks, it has since been developed into a robust global botnet that is comprised of several modules, each of which equips Emotet with different spamming, email logging, information stealing, bank fraud, downloading, and DDoS, among others.
Emotet activity in 2019 included several high-volume campaigns that collectively distributed tens of millions of messages primarily targeting the manufacturing and healthcare industries. Beginning in mid-January 2019, TA542 distributed millions of Emotet-laden emails in both English and German.