Canadian IP addresses were among the targets of a newly-revealed exploit aimed at banks and financial institutions around the world from a group that could have netted as much as US$1 billion over the last two years.

The report from Kaspersky Labs issued Monday doesn’t say whether any institutions here were hit by what it dubs the Carbanak backdoor exploit, which starts with a spear phishing attack to specific employees with email laced with malicious Microsoft Word and Control Panel Applet (.cpl) files attached. After searching around the institutions’ networks for the right people the attackers got hold of staff credentials to execute the thefts, often creating fake transactions in the institutions’ databases to avoid discovery.

They then used standard online banking or international e-payment systems to transfer funds to their own accounts. In some cases the attackers were able to compromise ATM machines.

With the help of law enforcement agencies, some of the command and control servers have been discovered, three of which included Canadian IP addresses as targets. A map included in the report suggests that Canada was among the countries with nine or fewer IP addresses targeted. By comparison the servers had up to 200 target IP addresses for Russia and the U.S.

The servers included some of the material the thieves harvested including classified email, manuals, crypto keys and passwords.

So far the biggest victims appear to be banks in Russia, the U.S., Germany, China and Ukraine.

But it again reinforces the importance of training staff to be careful before clicking on attachments as well as on detection.

Security specialist Brian Krebbs says the report “showcase once again how important it is for organizations to refocus more resources away from preventing intrusions toward detecting intrusions as quickly as possible and stopping the bleeding.” One security firm that wrote late last year about what appears to be the same group said the average time from breaking into a  bank’s internal networks to successful theft of cash is 42 days.

“There is nothing special about the malware itself,” Ian Amit, vice president of security firm ZeroFox said in a statement to “As usual, it was able to bypass the banks’ traditional anti-malware systems and go on its way uninterrupted. The novelty of this attack lies in how it was deployed — directly inside the bank rather than to the banks’ customers.”

In fact Kaspersky said Carabanak “is a clear indicator of a new era in cybercrime” because attackers go after a financial institution directly.

Kaspersky says one institution lost approximately US$7.3 million (USD) due to ATM fraud, while another suffered a US$10 million loss due to the exploitation of its online banking platform.

Stolen funds were shipped to bank accounts in the U.S. and China, says the report. Telemetry indicates that the attackers are expanding operations to other regions, such as Asia, the Middle-East, Africa and Europe.

Carbanak contains components that allow the attackers to take low-resolution videos, screen shots and log keystrokes on the victim systems. Kaspersky says. “This allowed the attackers to understand the protocols and daily operational tempo of their targets. Based on this understanding, exploitation methodologies and mechanisms were developed and tailored to each victim.”

A typical email would describe an amount of money to be deposited for a period of time, with an infected attachment to be installed on the victim’s computer. In then downloads a .plug file from a command and control server with the names of processes to be monitored, as well as the keystroke monitor.

The malware authors are quite cunning, rotating regularly between a number of command and control servers.

Kaspersky says one of the best methods for detecting Carbanak is to look for .bin files in the folder …\All users\%AppData%\Mozilla.