It didn’t take long for threat actors to move on to the next major event as an enticing lure for their phishing emails. The operators behind TrickBot are hoping to take advantage of the widespread coverage of the Black Lives Matter movement by sending out poorly written emails with the subject line “Leave a review confidentially about Black Lives Matter” asking recipients to “vote” anonymously using an attached document according to a tweet by @abuse_ch. The attached file is a Microsoft Word document file containing macros. If the document is opened and macros are enabled, a TrickBot payload will be downloaded from the domains ppid.indramayukab.go[.]id or www.inspeclabeling[.]com.
This new campaign follows a recent update in which TrickBot has replaced its previous “mworm” module with what is now called “nworm.” After compromising a regular workstation, TrickBot uses these modules to infect vulnerable domain controllers. Updated features for the nworm module include downloading the payload in an encrypted format and running entirely from memory on the domain controller. No artifacts are left behind, and the infection will not survive a reboot.