SentinelOne observed Canadian banks being targeted, but intelligence suggests attackers may also be going after U.S. banks.
SentinelOne observed Canadian banks being targeted, but intelligence suggests attackers may also be going after U.S. banks.

A new variant of the nefarious Zeus trojan is targeting a number of banks in Canada, including Bank of Montreal, Royal Bank of Canada, and National Bank of Canada, according to SentinelOne.

The variant is spreading via social engineering and exploit kits, Tomer Weingarten, CEO of SentinelOne, told SCMagazine.com in a Thursday email correspondence.

“We aware of a group that is sending malicious email attachments to Canadian email lists claiming they are Air Canada invoices,” Weingarten said.

The Zeus variant uses web injects to steal a variety of information, including usernames and passwords, answers to security questions, debit and credit card numbers, Social Security numbers, and driver's license numbers, Anton Ziukin, of SentinelOne, wrote in a Wednesday post.

That type of information can be used to commit online banking fraud, Ziukin wrote, also noting how it can be used for healthcare fraud, opening credit accounts in a victim's name, or to target individuals in spear phishing attacks.

Ziukin wrote that the web injects work seamlessly and that a user would have no idea that something was amiss. He added that the Zeus variant is not being detected by anti-virus products, and that it bypasses SSL browser security.

“Since the malware is installed on the endpoint device it can inject fake [web pages] into the browser without breaking the SSL connection to the bank's server and generating a security alert,” Ziukin wrote. “Predictive execution technology that monitors activity on the endpoint device is the only way to detect and block these attacks, and protect personal information from getting into the hands of criminals.”

The malware platform's modules are web-based and can easily be customized to attack multiple brands, Weingarten said. This means the attackers can target banks in the U.S., and intelligence suggests this is already being done, he added.

The “Drop” form being used by the attackers in the campaign enables configuration and customization of the attacks, Ziukin wrote. He explained how attackers can, for example, provide the details of the destination bank account where they wish to transfer stolen funds.

“The system can automatically calculate the profit percentage the person who is receiving the stolen money (called a Mule) will keep before transferring the balance to the attacker,” Ziukin wrote. “The attackers can also specify minimum and maximum balances for accounts targeted and minimum and maximum transfer amounts.”

Weingarten said that the attackers are likely located in Russia and are part of a cybercrime gang.