As the COVID-19 pandemic has clearly shown, cybercriminals are quick to adapt their phishing and malware campaigns in response to global and local events. New lures are constantly developed to maximize the probability of success.

In the early stages of the pandemic, when very little was known about SARS-CoV-2 and COVID-19, there was huge public concern and cybercriminals took advantage. The threat actors behind TrickBot malware, one of the most dangerous malware threats, regularly change their lures in response to newsworthy events to increase the probability of emails and attachments being opened. The TrickBot gang adopted COVID-19 and coronavirus themed lures when the virus started to spread globally and there was a huge craving for knowledge about the virus and local cases.

It is therefore no surprise to see the TrickBot operators adopt a new lure related to Black Lives Matter. There were huge protests in the United States following the death of George Floyd at the hands of a police officer, and those protests have spread globally. In several countries the headlines have been dominated by stories about Black Lives Matter protests and counter protests, and the public mood has presented another opportunity for the gang.

The latest TrickBot email campaign uses a subject line of “Leave a review confidentially about Black Lives Matter,” which has been crafted to appeal to individuals both for and against the protests. The emails contain a Word document attachment named e-vote_form_3438.doc, although several variations along this theme are likely.

The emails request the user open and complete the form in the document to submit their anonymous feedback. The Word document includes a macro which users are requested to enable to allow their feedback to be provided. Doing so will trigger the macro which will download a malicious DLL, which installs the TrickBot Trojan.

TrickBot is first and foremost a banking Trojan but is modular and frequently updated with new functions. The malware collects a range of sensitive information, can exfiltrate files, can move laterally, and also download other malware variants. TrickBot has been extensively used to download Ryuk ransomware as a secondary payload when the TrickBot gang has achieved their initial objective.

The lures used in phishing and malspam emails frequently change, but malspam emails distribute the same threats. Security awareness training can help to improve resilience to phishing threats by conditioning employees how to respond to unsolicited emails. Making employees aware of the latest tactics, techniques, procedures, and social engineering tactics being used to spread malware will help them to identify threats that land in their inboxes.

Regardless of the ruse used to get users to click, the best defense against these attacks is to ensure that your technical defenses are up to scratch and malware and malicious scripts are identified as such and are blocked and never reach end users’ inboxes. That is an area where TitanHQ can help.

SpamTitan Cloud is a powerful email security solution that provides protection against all email threats. Dual antivirus engines block all known malware threats, while predictive technologies and sandboxing provides protection against zero-day malware and phishing threats. No matter what email system you use, SpamTitan adds an important extra layer of security to block threats before they reach inboxes.

For further information on how you can improve protection and block phishing, spear phishing, email impersonation, and malware and ransomware threats, give the TitanHQ team a call today.