It didn’t take long for threat actors to move on to the next major event as an enticing lure for their phishing emails. The operators behind TrickBot are hoping to take advantage of the widespread coverage of the Black Lives Matter movement by sending out poorly written emails with the subject line “Leave a review confidentially about Black Lives Matter” asking recipients to “vote” anonymously using an attached document according to a tweet by @abuse_ch. The attached file is a Microsoft Word document file containing macros. If the document is opened and macros are enabled, a TrickBot payload will be downloaded from the domains ppid.indramayukab.go[.]id or www.inspeclabeling[.]com.
This new campaign follows a recent update in which TrickBot has replaced its previous “mworm” module with what is now called “nworm.” After compromising a regular workstation, TrickBot uses these modules to infect vulnerable domain controllers. Updated features for the nworm module include downloading the payload in an encrypted format and running entirely from memory on the domain controller. No artifacts are left behind, and the infection will not survive a reboot.
Analyst Notes
Threat actors love using current events as an enticing lure to get their victims’ attention. TrickBot is often spread through phishing emails like this or as a secondary infection through other malware like Emotet which also targets victims through phishing emails. Not all phishing emails are obvious as this one, so be cautious when opening attachments or following links from unknown senders. If you happen to open an attached document, be wary of some of the more common tactics! One of the most common messages used to trick victims is to display a message stating that the document was created in a different version of office or that the document is protected and needs you to click “Enable Editing” and “Enable Content.” These messages are walking recipients through the process of enabling the macros! Training employees on how to spot phishing attempts can go a long way towards preventing infection within the organization. Monitoring endpoints for suspicious behaviors by user accounts is another important element of defense to catch attacks even if some employees have been tricked into opening a malicious attachment.
Sources: https://twitter.com/abuse_ch/status/1270739166716989443
https://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/
