Malicious Cyber Actors Leverage Black Lives Matter Movement to Distribute Trickbot Malware

Posted on by Jeremy Posted in Cyber Security, Threat ReportTagged , , , , , , , ,

KEY POINTS

  • Cyber Criminals have mastered the art of weaponizing popular culture to launch cyber attacks.
  • Phishing email campaigns are among the most popular methods used to compromise a victim.
  • Attackers are now targeting victims using email subject lines, such as, “Vote anonymously about Black Lives Matter,” to increase the likelihood of a victim opening the message.

The Black Lives Matter movement has taken the world by storm. Protesters around the globe have come together to show everyone that racism has no place in the United States, let alone the world. With the popularity of the Black Lives Matter movement skyrocketing, cyber criminals are now attempting to capitalize on the power of the movement to distribute the Trickbot malware, via phishing email campaigns. Today we will take a look at Trickbot, learn how cyber criminals are distributing the malware, and provide you with a few recommendations to prevent, detect, and remediate Trickbot infections.

What is Trickbot?
Developed in 2016, Trickbot is a malicious program that was originally designed as a banking trojan. This trojan was capable of inflicting serious damage. Not only could the trojan target international banks, it was also capable of stealing from one’s Bitcoin wallet. Over the years, the developers of the trojan have continually updated the trojan with a host of new features. In it’s current form, Trickbot can be used to:

  • Laterally move throughout a network, giving Trickbot the ability to maximize the damage inflicted by the malware.
  • Exfiltrate active directory databases and user’s credentials from their browsers.
  • Steal cookies, OpenSSH keys used to establish a VPN connection, RDP, VNC, and PuTTY credentials.
  • Install additional payloads, such as, key loggers, ransomware, etc…

How is Trickbot Being Distributed?
Swedish based cybersecurity firm, abuse.ch, recently disclosed that malicious cyber actors are sending emails, pretending to be from “Countryadministration.” The sender asks recipients to fill out an attached form in order to “leave a review confidentially about “Black Lives Matter”.”

Black Lives Matter Phishing Email
Photo credit: Bleeping Computer

When users open the attached form, they are greeted with a message stating that they must click on the “Enable Editing” and “Enable Content” buttons.

Malicious Word Document
Photo credit: Bleeping Computer

Once the recipient clicks on these buttons, the Word document will run macros that download a malicious DLL, which contains the Trickbot malware, and execute it.

How Can I Protect Myself from Trickbot?
The following steps are recommended to prevent, detect, and remediate TrickBot infections:

  • Learn the basics of social engineering and how to identify phishing emails.
  • Limit the use of administrative credentials to prevent the malware from being able to execute administrative tasks.
  • Identify, shutdown, and take the infected machines off the network.
  • To avoid the malware from collecting new passwords, reset account password only after infected machines are cleaned and moved to a new VLAN.
  • Monitor SMB communication, limit access to only admin servers, or completely block SMB communication between workstations, if not needed.

Need any help securing yourself or your organization from Malware threats? Contact us and we’ll be happy to lend a helping hand! Make sure to subscribe to our mailing list for more information security related tips and tricks.

Additional Resources

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.