Scammers often craft social engineering schemes around major crises and news events, as demonstrated by the wealth of coronavirus-themed phishing campaigns seen this year. Now, as massive U.S. and global protests continue following the May 25 killing of George Floyd at the hands of a Minneapolis police officer, a new phishing operation is attempting to leverage the Black Lives Matter movement.
Researchers at Abuse.ch on Wednesday warned in a series of tweets that malicious actors are attempting to spread the TrickBot modular banking trojan via phishing emails that ask recipients to "Leave a review confidentially about Black Lives Matter."
In a sample email shown in one tweet, the senders use the email address [email protected][.]monster and identifies themselves as "Country authority."
According to a report from BleepingComputer, the email asks recipients to fill out and return an attached document named 'e-vote_form_3438.doc.' Individuals who open the document are asked to enable malicious macros that download and execute a DLL payload onto the victim's computer.
A spokesperson from abuse.ch reportedly told Forbes that the campaign was "pretty big, apparently hitting U.S. mailboxes."
TrickBot's original purpose was for harvesting banking credentials, but thanks to its plug-in nature it can now also incorporate modules for a variety of purposes including brute force attacks, lateral movement, reconnaissance, data collection and exfiltration and more. It has also recently been used in campaigns in conjunction with Ryuk ransomware.
SC Media reached out to numerous security firms that specialize in email security and/or conduct phishing research to see if they have witnessed any campaigns capitalizing on the BLM movement or the ongoing unrest and protests related to Floyd's death.
"Phishing actors often capitalize on current events and use them in their phishing themes to entice victims to engage - whether clicking a link, opening an attachment or entering credentials - in order to successfully compromise their targets," said Mollie MacDougall, head of Cofense Intelligence. "We have been tracking such trends with COVID-19 and have started to observe new Black Lives Matter-themed phishing emails that deliver the TrickBot trojan via an Office macro-laden document."
"Abusing Microsoft Office macro scripting is one of the most popular and commonly used means for phishers to deliver malware. Threat actors who use this document type rely on the victim enabling the macro scripting functionality or on having already enabled it to allow their scripting to run."