Attackers leverage the Black Lives Matter movement to deliver TrickBot malware

A common tactic for cybercriminals is to craft phishing emails and social engineering scams around popular events or global news, a recent example being the numerous COVID-19 related phishing campaigns observed since March.

With Black Lives Matter protests in the news recently, a new campaign has been observed which sees adversaries taking advantage of the movement to trick targeted users into downloading malicious attachments.

Campaign Details

The campaign attracts users by asking them to vote or comment with their opinion on the Black Lives Matter movement, with email subjects including “Vote anonymous about Black Lives Matter”, “Give YOUR Feedback anonymous about Black Lives Matter” and “Speak out confidentially about Whose Lives Matter”.

The body of the email is unsophisticated, containing just two sentences. The first sentence is similar to the subject line, for example “Tell your government your opinion anonymous about Black Lives Matter”, and the second sentence informs the user of the attached document, with the text “Claim in attached file”. The poor grammar used here is highly typical of a phishing email.

Once the Microsoft Word document is downloaded and opened, the user is required to click “Enable Editing” to run the document outside of the Protected View, where restrictions disallowing files to execute macros exist. Analysis of the document shows that it’s designed to deceive the user by suggesting they need to press “Enable Editing” to start updates which are available for Microsoft Office. Instead, once outside the Protected View, the document runs macros which download and execute a malicious TrickBot DLL.

Malware sample run on ANY.RUN

TrickBot

Originally developed as a banking Trojan in 2016, TrickBot has since evolved a variety of new malicious capabilities. These include spreading laterally through a network via the SMB exploit EternalBlue, stealing saved credentials in browsers, stealing Active Directory Services databases, stealing cookies and OpenSSH keys, stealing RDP, VNC, and PuTTY credentials, and more.

TrickBot is a modular trojan that targets sensitive information and acts as a dropper for other malware. Being modular by nature allows it to partner with ransomware operators, such as Ryuk, where it has recently been observed being used to deploy ransomware to compromised networks.

Indicators of compromise

Domains:

  • hxxp://copsbiau.monster
  • hxxp://vmrriktf.monster
  • hxxp://ygzggxeh.monster
  • hxxp://mnjcszrh.monster
  • hxxp://shmbidgp.monster

Sending addresses:

  • paperweight@shmbidgb.monster
  • pack@copsbiau.monster
  • molecule@shmbidgp.monster

Sending IP:

  • 89.203.248.175

Example filenames:

  • e-vote_form_1324.doc
  • e-vote_form_32411.doc
  • e-vote_form_41429.doc
  • e-vote_form_83110.doc
  • e-vote_form_9017.doc

Document file hash (SHA265):

  • af3fcc4d0646a3a2c27512b07a0c84428ced10606e28e248ecfcd8c2569d85d8

DLL file hash (SHA256):

  • af745b89b72c57307c1805107ea440b0c5768057de52ed3aff6a1c675514ab85

TrickBot payload URLs:

  • hxxps://ppid.indramayukab.go.id/may.php
  • hxxps://www.inspeclabeling.com/wp-content/themes/processing/may.ph