Author: Eric Patterson
TLP: WHITE
On 25 June, Infoblox observed a Black Lives Matters (BLM)-themed malicious spam (malspam) campaign delivering Trickbot malware.1,2,3 The previous Trickbot campaign we wrote about employed an email lure that spoofed an alert from the World Health Organization regarding the Coronavirus pandemic.4
Trickbot infects victims, steals sensitive financial information, and exfiltrates it to its command and control (C2) server. It can also move laterally within a network by brute-forcing Remote Desktop Protocol (RDP) credentials. Threat actors favor Trickbot due to its modular nature, which facilitates customization and provides attackers the capability to drop additional malware on an infected system.
The emails we observed in this campaign all portrayed themselves to be from official-sounding sources such as the “State Authority” or “Country Administration,” which do not actually exist.
The email subject lines varied, asking the recipient to vote on or express how they felt about the BLM movement. The message bodies followed this theme, asking recipients to anonymously leave their reviews on the subject matter. The bodies also indicated that some sort of claim was attached. The accompanying files were Microsoft Word documents that followed the naming scheme: e-vote_form <4-5 digits>.doc.
Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.
Endnotes
- https://twitter.com/malware_traffic/status/1276193322999123972
- https://twitter.com/abuse_ch/status/1275526243404972034
- https://news.zepko.com/black-lives-matter-email-campaign-delivers-trickbot-malware/
- https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence–66
