Black Lives Matter Emails Deliver TrickBot Malware

2020-06-11T20:59:11
ID THREATPOST:9BCCB9AB2D5CB0A94DC1E05B2C57F614
Type threatpost
Reporter Tara Seals
Modified 2020-06-11T20:59:11

Description

Cyberattackers are seizing upon the 24-hour news cycle again in order to capitalize on the current zeitgeist – this time with a fake Black Lives Matter malspam campaign that distributes the TrickBot malware.

According to Swiss security firm Abuse.ch, threat actors are posing as government officials, in an effort to lure socially minded victims into clicking on a malicious attachment in an email. The messages use a grammatically challenged subject line, “Vote anonymous about Black Lives Matter,” or “Leave a review confidentially about Black Lives Matter,” and purport to contain a survey document.

> Head ups ⚠️ Threat actors are currently abusing the #BlackLivesMattters campaign to distribute malware 🔥 > > Sender:
Country authority <molecule@shmbidgp.monster> > > Subject:
Leave a review confidentially about Black Lives Matter > > DOC:<https://t.co/nkwrioyeex> > > Payload unknown (yet) pic.twitter.com/M83ih3HmW0 > > — abuse.ch (@abuse_ch) June 10, 2020

According to sample campaign documents (first obtained by Bleeping Computer), the attachment, if opened, surfaces a button urging recipients to “Enable Editing” or “Enable Content.” If clicked, the button activates malicious macros that in turn download TrickBot, in the form of a malicious library (.DLL file).

TrickBot is a rapidly evolving, modular malware strain that has been around since 2016, starting life as a banking trojan. Over time, it has gradually extended its functions to include collecting credentials from a victim’s emails, browsers and installed network apps. The malware has also evolved to add more modules and act as a delivery vehicle for other malware.

For instance, earlier this month, a new stealthy backdoor that researchers call “BazarBackdoor” was added to TrickBot’s arsenal; and in January, researchers found the malware’s operators to be using “PowerTrick,” a backdoor that helped the malware conduct reconnaissance of targeted financial institutions and also fetch yet other backdoors.

Cybercriminals looking for a quick payday often latch onto popular movements, political happenings or sporting events in order to capitalize on people’s interest in a given subject. This happens perennially with the Super Bowl and the World Cup; and more recently, crooks have adopted a slew of COVID-19- and coronavirus-themed lures to pique email recipients’ interest.

The BLM-themed campaign flagged by Abuse_ch is not the only one making the rounds. Alexandre Francois, head of content at cyber-threat intelligence provider whoisxmlapi.com, told Threatpost that the firm has begun to detect an increasing number of newly registered domain names that include the word strings “blacklives” and “georgefloyd” – such as blacklivematterfund[.]com and thegeorgefloydfundation[.]net.

Since last Thursday, whoisxmlapi.com has found an average of 49 new domain registrations containing either word string appearing per day. Many are likely legitimate – and many likely aren’t.

“In our experience, this type of domain name could convincingly end up being used as phishing traps where victims are tricked into sending money to a bogus fund or foundation,” Francois said.

In general, businesses and end users need to be mindful of this kind of news-of-the-day campaign, researchers noted — although this particular one does have some red flags, such as the fake-sounding sender’s name (“Country administration”).

“The latest TrickBot distribution campaign highlights the need for organizations to defend themselves against phishing attacks,” according to a Thursday post from Tripwire. “One of the ways they can do this is by educating their employees about some of the most common types of phishing campaigns that are in circulation today.”