As the COVID-19 pandemic has clearly indicated, hackers are quick to adapt their phishing and malware campaigns in response to global and local happenings. New lures are quickly developed to maximize the probability of success.

In the initial stages of the pandemic, when very little was knowledge available regarding SARS-CoV-2 and COVID-19, there was huge public worry and hackers used this to their own advantage. The threat actors behind TrickBot malware, one of the most dangerous malware threats, regularly amend their lures in response to newsworthy events to increase the probability of emails and attachments being clicked on. The TrickBot gang adopted COVID-19 and coronavirus themed lures when the virus began to spread globally and there was a huge craving for knowledge about the virus and local clusters.

It is therefore no shock to see the TrickBot operators adopt a new lure linked to Black Lives Matter. There were huge protests in the United States after the death of George Floyd at the hands of a police officer, and those protests have spread around the world. In many countries the headlines have featured stories about Black Lives Matter protests and counter protests, and the public mood has presented another possibility for the gang.

The most recent TrickBot email campaign uses a subject line of “Leave a review confidentially about Black Lives Matter,” which has been designed to appeal to individuals both for and against the protests. The emails include a Word document attachment named e-vote_form_3438.doc, although several variations along this theme are possible.

The emails ask the user open and complete the form in the document to file their anonymous feedback. The Word document involves a macro which users are requested to turn on to allow their feedback to be provided. Doing so will trigger the macro which will install a malicious DLL, which installs the TrickBot Trojan.

TrickBot is mainly a banking Trojan but is modular and frequently updated with new functions. The malware gathers a range of sensitive information, can exfiltrate files, can move laterally, and also install other malware variants. TrickBot has been widely used to install Ryuk ransomware as a secondary payload when the TrickBot gang has achieved their main objective.

The lures implemented in phishing and malspam emails frequently change, but malspam emails distribute the same threats. Security awareness training can assist in enhancing resilience against phishing threats by conditioning employees how to treat unsolicited emails. Making employees aware of the latest tactics, techniques, procedures, and social engineering tactics being used to spread malware will help them to spot threats that land in their inboxes.

No matter what trick is used to get users to click, the best security measure against these attacks is to ensure that your technical defenses are up to scratch and malware and malicious scripts are spotted as such and are blocked and never land in end users’ inboxes. That is an area where TitanHQ can be of assistance.

SpamTitan Cloud is a strong email security solution that provides protection against all email attacks. Dual antivirus engines prevent all known malware threats, while predictive technologies and sandboxing supplies protection against zero-day malware and phishing attacks. No matter what email system you deploy, SpamTitan adds a vital extra layer of security to block threats before they land in inboxes.

For additional information on how you can enhance protection and block phishing, spear phishing, email impersonation, and malware and ransomware threats, give the TitanHQ team a call now.