Amid the vogue of COVID-19, the risk of data privacy continues. Recently researchers have figured out a Malspam campaign that delivers a survey on BLM( black lives matter). But the fact is that it injects an infamous banking trojan that compromises the system. Cyberattackers are gripping over the 24-hour news cycle again in order to dig on the current ongoing situation. This time hackers have found a new way to trick the users into its well-crafted mail. The attackers are using a fake Black Lives Matter Malspam campaign that is spreading the TrickBot malware through emails.
A malicious backdoor like “Trickbot” is used to compromise and gain complete administrative access to corporate systems. These advanced network attacks include enterprise-targeting ransomware, corporate reconnaissance, or data exfiltration attacks. It quietly installs in the system and ruins the ecosystem. “BazarBackdoor” The new phishing attack was discovered by a renowned cybersecurity firm Abuse.ch.
According to cybersecurity security firm Abuse.ch, hackers are pretending as government officials to propagate the malware. They are tricking the user into believing themselves as the authorized body. All these sins are propagated through luring socially-minded victims into clicking on a malicious attachment in an email. Typically the slogans written are grammatically crafted as “Vote anonymous about Black Lives Matter,” or “Leave a review confidentially about Black Lives Matter,”. Also, they even try to purport the user into clicking the survey document.
According to the initial sample collected by Bleeping Computer, it appeared that the attachments comprising along with mail urge recipients to “Enable Editing” or “Enable Content.” Once clicked the button, it executes a malicious macro that enables to download TrickBot, in the kind of a wicked library (.DLL file).
TrickBot is a quickly growing, and adaptable malware that has left its trace since 2016. It started its journey as a banking trojan. Over the years, it has gradually extended its functions to include harvesting user credentials from a victim’s emails, browsers, and installed network applications. It has also been developed as a full-pack module that acts as a mediator for other malware.
For instance, earlier this month, a new private backdoor that researchers call “BazarBackdoor” was added to TrickBot’s arsenal. The backdoor “BazarLoader” uses an Emercoin DNS resolution service. This service helps to resolve various hostnames that use the ‘Bazar’ domain. The ‘Bazar’ domain can only be appropriated on Emercoin’s DNS servers, and as it is decentralized, it makes it difficult, if not impossible, for law enforcement to seize the hostname.
Damage control!
Cybercrooks are looking for an instant political mass movement or sporting events. They are basically grabbing the public encroachment which is used to capitalize on the people’s interest in a given domain. Such traits occur mostly with the Super Bowl and the World Cup events. Nowadays, due to the ongoing trend of COVID-19, well crafted coronavirus-themed mails are used to provoke email recipients’ interest.
The BLM-themed campaign flagged by Abuse_ch is not the only one making the rounds. Department Head of content at cyber-threat intelligence provider whoisxmlapi.com reported that the detection mechanism of the Trickbot malware is increasing across the registered domain names. Usually, its objective is to flag domains comprising the strings “black lives” and “George Floyd”
As of now, whoisxmlapi.com has traversed through an average of 49 new domain enrollments which either contain word string. Majority of the domains are found to be safe, but they still exist several sites that are found to be infected with Trickbot malware
“In our experience, this type of domain name could convincingly end up being used as phishing traps where victims are tricked into sending money to a bogus fund or foundation,”. In general, businesses and end-users need to be mindful of this kind of news-of-the-day campaign, researchers noted — although this particular one does have some red flags, such as the fake-sounding sender’s name (“Country administration”). Francois said.
Prevention for Trickbot:
Security must be the top priority. Business firms along with its employee and end-users need to be cautious of this kind of news or propaganda discussed above. It becomes very important to raise security awareness and train the employee for the worst-case scenario.
Hackers always find a way to your system. You just need to be more attentive and vigilant.
Prashant is a student of Computer Science and Engineering at NIT Allahabad. He is also a web pentester and cybersecurity analyst. He may be an introvert and sociable person at the same time. He loves meeting new people and he is in a journey to explore himself. Currently working as a content writer at BLARROW.TECH.