Spotted by researchers at Deep Instinct, a new version of CoreBot is being distributed in spam email campaigns with the intention of stealing information from customers of Canadian banking websites.
Customers of TD, Des-Jardins, RBC, Scotia Bank, Banque National are all targeted by those behind the campaign, with successful execution of the malware allowing the attackers to steal the credentials of infected users as they login into these sites.
The new CoreBot campaign claims to be an invoice and thanks the target for making a payment - a common tactic used in phishing campaigns which aims to panic the victim into thinking they've lost money.
The email contains a 'view invoice' link, which if clicked initiates the download of the malicious payload. This is different to previous CoreBot campaigns which distributed spam emails with malicious Word documents containing the payload.
This version of CoreBot also comes with with new evasion techniques in an attempt to avoid analysis of the malware code, indicating those behind it have spent time developing their malicious product to be stealthier.
Researchers also note that the command and control server domain has switched to a different IP address since the last known CoreBot campaign. Meanwhile, the IP addresses delivering the malware appear to be based in France and Canada.
Initial examination of the new CoreBot malware suggests it's related to other active banking malware campaigns, although researchers haven't yet stated which.
It's also uncertain who is behind this criminal campaign, but artefacts in the code could potentially point to a Chinese link, Deep Instinct told ZDNet.
Analysis of CoreBot is still ongoing, but bank customers are instructed to be cautious of any messages about an unexpected payment.