Black Lives Matter Emails Deliver TrickBot Malware

black lives matter

Malspam emails are claiming to deliver a survey on BLM — but in reality they deliver the infamous banking trojan.

Cyberattackers are seizing upon the 24-hour news cycle again in order to capitalize on the current zeitgeist – this time with a fake Black Lives Matter malspam campaign that distributes the TrickBot malware.

According to Swiss security firm, threat actors are posing as government officials, in an effort to lure socially minded victims into clicking on a malicious attachment in an email. The messages use a grammatically challenged subject line, “Vote anonymous about Black Lives Matter,” or “Leave a review confidentially about Black Lives Matter,” and purport to contain a survey document.

According to sample campaign documents (first obtained by Bleeping Computer), the attachment, if opened, surfaces a button urging recipients to “Enable Editing” or “Enable Content.” If clicked, the button activates malicious macros that in turn download TrickBot, in the form of a malicious library (.DLL file).

TrickBot is a rapidly evolving, modular malware strain that has been around since 2016, starting life as a banking trojan. Over time, it has gradually extended its functions to include collecting credentials from a victim’s emails, browsers and installed network apps. The malware has also evolved to add more modules and act as a delivery vehicle for other malware.

For instance, earlier this month, a new stealthy backdoor that researchers call “BazarBackdoor” was added to TrickBot’s arsenal; and in January, researchers found the malware’s operators to be using “PowerTrick,” a backdoor that helped the malware conduct reconnaissance of targeted financial institutions and also fetch yet other backdoors.

Cybercriminals looking for a quick payday often latch onto popular movements, political happenings or sporting events in order to capitalize on people’s interest in a given subject. This happens perennially with the Super Bowl and the World Cup; and more recently, crooks have adopted a slew of COVID-19- and coronavirus-themed lures to pique email recipients’ interest.