A common tactic for cybercriminals is to craft phishing emails and social engineering scams around popular events or global news, a recent example being the numerous COVID-19 related phishing campaigns observed since March.
With Black Lives Matter protests in the news recently, a new campaign has been observed which sees adversaries taking advantage of the movement to trick targeted users into downloading malicious attachments.
The campaign attracts users by asking them to vote or comment with their opinion on the Black Lives Matter movement, with email subjects including “Vote anonymous about Black Lives Matter”, “Give YOUR Feedback anonymous about Black Lives Matter” and “Speak out confidentially about Whose Lives Matter”.
The body of the email is unsophisticated, containing just two sentences. The first sentence is similar to the subject line, for example “Tell your government your opinion anonymous about Black Lives Matter”, and the second sentence informs the user of the attached document, with the text “Claim in attached file”. The poor grammar used here is highly typical of a phishing email.
Once the Microsoft Word document is downloaded and opened, the user is required to click “Enable Editing” to run the document outside of the Protected View, where restrictions disallowing files to execute macros exist. Analysis of the document shows that it’s designed to deceive the user by suggesting they need to press “Enable Editing” to start updates which are available for Microsoft Office. Instead, once outside the Protected View, the document runs macros which download and execute a malicious TrickBot DLL.
Malware sample run on ANY.RUN
Originally developed as a banking Trojan in 2016, TrickBot has since evolved a variety of new malicious capabilities. These include spreading laterally through a network via the SMB exploit EternalBlue, stealing saved credentials in browsers, stealing Active Directory Services databases, stealing cookies and OpenSSH keys, stealing RDP, VNC, and PuTTY credentials, and more.
TrickBot is a modular trojan that targets sensitive information and acts as a dropper for other malware. Being modular by nature allows it to partner with ransomware operators, such as Ryuk, where it has recently been observed being used to deploy ransomware to compromised networks.
Indicators of compromise
Document file hash (SHA265):
DLL file hash (SHA256):
TrickBot payload URLs: