Black Lives Matter Movement Exploited by TrickBot Malware
I. Targeted Industries
- Non-Profit Organizations
- Higher Education
- Local Government
The Swiss security company, Abuse.Ch, recently reported threat actors are abusing the Black Lives Matter (BLM) movement to distribute malware via phishing scams. These scams involve threat actors camouflaging themselves as government officials to lure victims into clicking a malicious email attachment. Recipients are asked to anonymously vote for the BLM movement, while TrickBot hides in a word document waiting to be executed. The malware then swiftly spreads across the network and begins stealing login IDs and passwords. Current global events have been deemed by threat actors as opportunities, and have prompted attackers to create social engineering schemes for personal financial gain.
TrickBot is a well-known, sophisticated banking Trojan that was first introduced in 2016 and has constantly evolved to evade detection. Now used to exploit the Black Lives Matter campaign, hackers are baiting users into clicking a malicious attachment in an email. According to Abuse.Ch’s malware researchers, the emails contain the subject line “Vote Anonymous about Black Lives Matter”. The email asks the victims to complete and return a survey from a word document that is named “e-vote_form_3438.doc”. If the attachment is opened, a button will urge recipients to “Enable Editing”. Within this button is the hidden TrickBot malware. If clicked upon, the word document will run macros that download a malicious DLL file to the computer and execute it.
When executed, the DLL will download additional modules to the infected computer to steal files, passwords, security keys, and allow other threat actors to install ransomware. “Abusing Microsoft Office macro scripting is one of the most popular and commonly used means for phishers to deliver malware”, says Mollie MacDougall, head of Cofense Intelligence. Since June 4th, the domain provider whoisxmlapi.com reported an average of 49 new domain registrations containing the words “black lives” and “George Floyd”. These types of domains could convincingly be used for phishing traps.
- Phishing Awareness Training
Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past.
- User Awareness Training
Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk.
- Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
- Verify Authenticity Before Downloading Anything
Avoid downloading anything from unknown sources and always verify the authenticity of the download.
V. Indicators of Compromise (IOCs)
The link below has been included to assist with the download of some identified IOC’s related to this Threat Advisory Report. Be on the lookout for these IOC’s, as well as anything that looks similar.
(1) Abrams, Lawrence. “Fake Black Lives Matter Voting Campaign Spreads Trickbot Malware.” BleepingComputer. BleepingComputer.com, June 11, 2020. https://www.bleepingcomputer.com/news/security/fake-black-lives-matter-voting-campaign-spreads-trickbot-malware/
(2) Ahmed, Deeba. “Black Lives Matter Movement Exploited to Spread Trickbot Malware.” HackRead, June 11, 2020. https://www.hackread.com/hackers-spread-trickbot-malware-black-lives-matter/.
(3) Barth, Bradley. “Black Lives Matter Phishing Scam Looks to Spread TrickBot Malware.” SC Media, June 11, 2020. https://www.scmagazine.com/home/security-news/phishing/black-lives-matter-phishing-scam-looks-to-spread-trickbot-malware/.
(4) Seals, Tara. “Black Lives Matter Emails Deliver TrickBot Malware.” Threatpost English Global threatpostcom, June 11, 2020. https://threatpost.com/black-lives-matter-emails-trickbot-malware/156497/.
(5) “Trickbot Malspam Leveraging Black Lives Matter as Lure.” Hornetsecurity, June 12, 2020. https://www.hornetsecurity.com/en/security-information/trickbot-malspam- leveraging-black-lives-matter-as-lure/.