The email GZ attachment contains a password-protected zip (not provided in the text), with an exe inside: the malware itself. It is not known what the next payload is.
The CSIRT-Italy cyber security experts: Cybercrime is exploiting the Black Lives Matter to spread Trickbot malware with a malspam campaign. Targets: USA, Canada, France, Germany, Italy and South East Asia
A new malspam campaign is leveraging Black Lives Matter protests to spread Trickbot malware. The CSIRT-Italy cyber security experts report it. The banking trojan’s chain of infection starts with email messages with malicious attachments (Microsoft Word files). The subject refers to requests for confidential reviews to be released on the movement. The messages have different variations in the senders’ names, pretending to come from government entities such as State Government, State Ministry, State Office, Country Authority or State Administration. The file contains a password that protects a malicious macro; this technique is often used by malicious actors in order to prevent random analyzes. Once enabled, it performs several steps until the target gets to download and run the TrickBot payload, carefully hidden in a blurred string. The victims are in the USA, Canada, France, Germany, Italy and South East Asia.