Fake Black Lives Matter voting campaign spreads Trickbot malware

A phishing email campaign asking you to vote anonymously about Black Lives Matter is spreading the TrickBot information-stealing malware.

Started as a banking Trojan, the TrickBot has evolved to perform a variety of malicious behavior.

This behavior includes spreading laterally through a network, stealing saved credentials in browsers, stealing Active Directory Services databasesstealing cookies and OpenSSH keysstealing RDP, VNC, and PuTTY Credentials, and more.

TrickBot also partners with ransomware operators, such as Ryuk, to give access to a compromised network to deploy ransomware.

Capitalizing on the Black Lives Matter movement

Threat actors commonly utilize current events as lures to trick people into opening their malicious emails.

Such is the case with a new campaign discovered by cybersecurity organization Abuse.ch that pretends to be from “Country administration,” asking recipients to ‘Vote anonymous about “Black Lives Matter”.’

The email, shown below, states, “Leave a review confidentially about “Black Lives Matter” and then prompts recipients to fill out and return an attached document named ‘e-vote_form_3438.doc.’

Phishing email
Phishing email

When a recipient opens the Word document, they will be greeted with a message stating that they need to click on the ‘Enable Editing’ and ‘Enable Content’ buttons to view the contents properly.

Malicious word doc
Malicious word doc

Once they click on these buttons, the Word document will run macros that download a malicious DLL to the computer and execute it.

This DLL is the TrickBot trojan that, when executed, will download further modules to the infected computer to steal files, passwords, security keys, spread laterally throughout the network, and allow other threat actors to install ransomware.

Due to this, a TrickBot trojan can be a devastating infection regardless of whether you are a corporate victim or a home user.

It is important to remember that malware developers and distributors commonly become more active during significant moments in history and political unrest.

This dramatic increase in phishing and cyberattacks related to COVID-19, and it is not surprising that we also see it now.

Be extremely careful with any emails you received, especially those that are politically or socially motivated, as they could be malware in disguise.


Next Post

Coronavirus rips through Dutch mink farms, triggering culls to prevent human infections | Science

Thu Jun 11 , 2020
Mink populations burgeon in the spring, when pups are born, raising concerns about new SARS-CoV-2 outbreaks. Ruslan Shamukov/TASS via Getty Images By Martin EnserinkJun. 9, 2020 , 3:30 PM Science’s COVID-19 reporting is supported by the Pulitzer Center. LELYSTAD, THE NETHERLANDS—In a sad sideshow to the COVID-19 pandemic, authorities in […]