Cybersecurity experts have found a fake Black Lives Matter voting campaign leveraging the popularity and sentiments of people in the ongoing protests against racism to spread Trickbot, an information-stealing malware. The phishing campaign is being touted to be run more efficiently as the fake email claims complete anonymity of the voters registered in luring potential victims.
Leveraging ‘Black Lives Matter’ Campaign
Leveraging the popularity of ongoing movements, celebrities, and the latest buzz topics, and luring potential victims into opening phishing emails is a popular trait of cybercriminals. This has been evident from earlier instances, for example, when the Emotet malware operators used environmental activist Greta Thunberg’s popularity to infect computers in Europe and Asia. The phishing emails back then looked like any other invite from Greta for a climate change summit or demonstration with email subjects carrying enticing text like “Demonstration 2019” or “I invite you.”
Similarly, pretending to be an email from the “Country administration,” the ongoing phishing campaign also targets potential victims by using subject lines such as, “Vote anonymously about Black Lives Matter.” Like other phishing campaigns, this email also contains a malicious word file as an attachment. When a user clicks on the “Enable Content” option while opening the Word file, the macros start running and downloads the Trickbot malware. When executed, this malware can further drop other payloads to carry out malicious activities.
What Trickbot Steals?
Historically, Trickbot malware is a banking Trojan. However, with time it has evolved in nature. Some of its top traits are:
- Lateral movement in the network for maximum damage
- Exfiltrating user credentials from browsers
- Exfiltrating Active Directory Services databases
- Stealing cookies and OpenSSH keys
- Theft of RDP, VNC, and PuTTY Credentials
- Installing additional payloads (e.g. ransomware)