Black Lives Matter campaign misused by Trickbot malware


Cybercriminals switched from Covid-19 pandemic scams to the Black Lives Matter movement scams

TrickBot Trojan spread via Black Lives Matter scam campaign

TrickBot Trojan spread via Black Lives Matter scam campaign

Vote anonymous about “Black Lives Matter”[1] – that’s a subject line of scam emails that have been spotted on the landscape in the first half of June 2020. Since the beginning of the worldwide Coronavirus pandemic, hackers took the pace alongside and launched thousands of scam campaigns exploiting the worldwide escalated theme. Since the pandemic is subsiding, criminals are looking for new catches to trick people into installing a virus. 

The latest scam campaign takes advantage of the movement that began in the USA after a policeman killed unarmed black man George Floyd[2] by kneeling on his neck. Dubbed as Black Lives Matter movement goes global triggering massive riots and people’s attention worldwide. 

As pointed out by cybersecurity experts, scammers launched a new campaign, which tricks people into downloading infamous TrickBot[3] banking Trojan. This cyber infection targets leading banks in the UK, US, Australia, and other wealthy countries since 2016. However, the current Black Lives Matter Trickbot campaign seems to be targeting home users in particular. 

TrickBot payload spread in disguise with infected Microsoft Office Word document

Abuse.ch[4] was the first to detect the novel spam campaign. As pointed out by the company, the Black Lives Matter scam has emerged right on time since more and more people are joining the movement and sucking up news about it. Thus, appealing subjects like “Vote anonymous about Black Lives Matter” are very likely to be noticed among other inbox emails. 

The TrickBot bearing email scam is sent from a supposed country administrator via [email protected] email. The subject line asks to vote about the movement, while the body text does not say much:

Leave a review confidentially about “Black Lives Matter”
Claim in attached file

The message has an attachment under the name e-vote_form_3438.doc. This file is the biggest threat for potential victims and no one should attempt opening it. The supposed Microsoft Office Word document contains a malicious TrickBot virus payload, which is launched if the potential victim clicks on the “Enable Editing” and “Enable Content” buttons. The payload downloads the malicious DLL file and starts running the banking Trojan. 

What to expect if the TrickBot virus enters the machine?

TrickBot is a deadly dangerous banking trojan. It is capable of mimicking the original windows of banking websites, thus tricking people into giving away their login details. To perform this task, the virus is programmed to use an improved C language, namely C++. 

On top of that, Trickbot renders the Microsoft CryptoAPI algorithm, executes COM, and TaskScheduler commands to gain full control over the system. Once it ensures the persistence, criminals behind the Trojan start sending commands to form the C2 server to take screenshots, log keystrokes, or record webcam, change the windows of the banking sites, harvest saved passwords, etc. 

This banking Trojan remains strong for over four years. It’s cyberattacks went rampant in 2017[5] when banks in The United States, Canada, United Kingdom, Ireland, Germany, France, Switzerland, and New Zealand were attacked. In 2019 it has been dubbed as one of the most dangerous Trojans on the market after it managed to perform a SIM Swapping attack allowing hackers to bypass multi-factor authentication solutions, reset passwords for the victims’ bank, email accounts, and cryptocurrency exchange portals. 

TrickBot has some distinctive features that can give away its presence

Did you click on the Black Lives Matter scam email attachment? If the answer is yes, we recommend scanning your PC with a professional anti-virus program. Even though it may not, but it’s a high risk that the TrickBot trojan payload might have been launched via the malicious e-vote_form_3438.doc file. In case of an attack, it’s a must to use professional security software to get rid of this cyber infection. 

Nevertheless, TrickBot virus gives itself away since it’s using a technique called “web injects.”[6] In other words, it may start generating traffic to ISP websites or other domains that require to provide login and password. Although such rogue login sites mimic legit websites, vigilant users should identify copycat sites since they tend to have some discrepancies. For example, a couple of years ago TrickBot initiated redirects to fake Verizon Wireless website, which asked users to log in by submitting a login, password, and PIN code. However, the original Verizon login page never required for the PIN. Thus, people should be conscious all the time and carefully inspect every website that they visit because you can never know what\\s behind it.