FortiGuard Labs Threat Analysis 

Affected platforms:     Windows 10 & Windows Server 2019
Impacted parties:        Windows 10 version 1809 + and Windows Server version 1903 +
Impact:                        Privilege Escalation & User-Privacy Settings Violation
Severity level:              Important

On June 10, 2020, FortiGuard Labs came across a global malicious spam campaign that is targeting users who may be sympathetic to the Black Lives Matter movement that began in the United States. With all of the calamity of 2020, such as the ongoing COVID-19 pandemic and the numerous protests in the United States and elsewhere, attackers are leveraging the global news cycle to lure unsuspecting victims to download and open malicious attachments.

The campaign uses a variety of subject lines for emails with an attached malicious Microsoft Word document to compel the user into opening the attachment. The content of the body is written in haste and uses poor grammar, but the Black Lives Matter subject is used to compel victims into opening the attachment:

Leave a review confidentially about [various Black Lives Matter subjects] Claim in attached file

These emails utilize variations in subjects and sender names to either circumvent spam filters or to simply create confusion. An example of the variety of subjects and senders being used is shown below:

Figure 1. Variants of Black Lives Matter Spam and Subject linesFigure 1. Variants of Black Lives Matter Spam and Subject lines

Technical Details of the Malicious Spam Campaign Using Black Lives Matter to Lure Victims

The attachment is a standard Microsoft Word document with a generic image enticing the user to enable macros.

Figure 2. Image in Word Document Compelling User to Enable Macros.
Figure 2. Image in Word Document Compelling User to Enable Macros.

When we try to examine the macro, we find that it is protected by a password, as is the case with many malicious documents. This adds an additional layer of protection to prevent casual analysis. And after extracting the macro, we also see that an obfuscated string is used to hide the payload.

Figure 3. Obfuscation to hide payloadFigure 3. Obfuscation to hide payload

Once it goes through the deobfuscation process, we can see that it is using…

Read The Full Article

Leave a Reply

Check Also

Privacy 2024 Recap – some significant decisions, slow progress for reform

The past year saw a few court decisions of note as well as halting progress toward privacy…