Threat Research

Global Malicious Spam Campaign Using Black Lives Matter as a Lure

By Val Saengphaibul and Fred Gutierrez | June 15, 2020

FortiGuard Labs Threat Analysis 

Affected platforms:     Windows 10 & Windows Server 2019
Impacted parties:        Windows 10 version 1809 + and Windows Server version 1903 +
Impact:                        Privilege Escalation & User-Privacy Settings Violation
Severity level:              Important

On June 10, 2020, FortiGuard Labs came across a global malicious spam campaign that is targeting users who may be sympathetic to the Black Lives Matter movement that began in the United States. With all of the calamity of 2020, such as the ongoing COVID-19 pandemic and the numerous protests in the United States and elsewhere, attackers are leveraging the global news cycle to lure unsuspecting victims to download and open malicious attachments. 

The campaign uses a variety of subject lines for emails with an attached malicious Microsoft Word document to compel the user into opening the attachment. The content of the body is written in haste and uses poor grammar, but the Black Lives Matter subject is used to compel victims into opening the attachment:

Leave a review confidentially about [various Black Lives Matter subjects] 
Claim in attached file

These emails utilize variations in subjects and sender names to either circumvent spam filters or to simply create confusion. An example of the variety of subjects and senders being used is shown below:

Figure 1. Variants of Black Lives Matter Spam and Subject lines

Technical Details of the Malicious Spam Campaign Using Black Lives Matter to Lure Victims

The attachment is a standard Microsoft Word document with a generic image enticing the user to enable macros.

Figure 2. Image in Word Document Compelling User to Enable Macros.

When we try to examine the macro, we find that it is protected by a password, as is the case with many malicious documents. This adds an additional layer of protection to prevent casual analysis. And after extracting the macro, we also see that an obfuscated string is used to hide the payload. 

Figure 3. Obfuscation to hide payload

Once it goes through the deobfuscation process, we can see that it is using injection to deliver its malicious payload. In this case, it is loading the stage 1 downloader. 

Figure 4. Thread created after call to VirtualProtectEx that contains the injection instruction to download and execute Trickbot

Once a memory region is created by the call to VirtualProtectEx, a thread is created and executed. This new thread contains the actual payload to execute assembly instructions in memory. It then unpacks itself and proceeds to contact C2 servers in order to download and execute Trickbot. 

The campaign utilizes that same strategy as previous Trickbot attacks. The individuals behind Trickbot have used trending topics before to lure victims and extend their installed base. The campaign just prior to the current one leveraging the Black Lives Matter movement in the United States, was focused on COVID-19, which we previously analyzed. Performing OSINT research, it appears that the command and control servers used by the actors behind this latest campaign have also compromised two specific sites, a city government website based in South East Asia using the Joomla CMS, and a manufacturer in the United States that is using WordPress as its CMS.

At the time of discovery, FortiGuard Labs was one of a handful of vendors who had detected the sample used in this analysis: 

File name: e-vote_form_78211.doc

[SHA256 - 35E1F022861474407246F0C66218A83019381E8745E4C6B294CF150F401C16DC

Detected as: VBA/Agent.KJMLBSB!tr

Figure 5. Limited Coverage During Time of Discovery

Global Spread

Analyzing the domains and infrastructure used by the threat actors, we find that they are all hosted in the Czech Republic (CD-Telematika a.s.). While this does not mean anything in terms of attribution, it is still interesting that this is the ISP chosen by the actors behind this latest Trickbot campaign. Scouring our passive DNS records has revealed nothing in terms of past campaigns originating from the identified servers, which is increasingly the case given the reality of easy-to-spin-up virtual private servers and on-demand cloud infrastructures. 

We can also see that a spike developed quite noticeably on the day this was discovered (June 10th). This is true for all domains related to this specific campaign:

Figure 6. Brand new spike for all domains used in this campaign observed on June 10

While the US and Canada are its primary targets, we have detected variations of this campaign affecting other countries as well. Here is a brief breakdown of what we have discovered.



Figure 7: Domain Name -

Based on our telemetry, the top 5 countries targeted by this specific campaign are Canada (48%) and the United States (46%), with France, Cyprus, and Italy having seen activity averaging less than one percent.



Figure 8: Domain Name -

The top 5 countries targeted by this specific campaign are Canada (48%) and the United States (46%). This time, France, Thailand, and Cyprus have seen less than 1% of activity.



Figure 9: Domain Name -

We can now see a pattern developing. The top countries targeted by this specific campaign are again, the United States (46%) and Canada (45%), this time with Italy, Cyprus, and Oman averaging less than one percent of activity. While the US and Canada are clearly the primary targets, Cyprus is consistently included in the spillover.



Figure 10: Domain Name -

Interestingly, based on our telemetry, there were only 4 countries targeted by this specific campaign. And other than the usual targets of the United States (49%) and Canada (48%), the other countries impacted this time are Rwanda and United Kingdom, averaging less than one percent of activity.



Figure 11: Domain Name -

Finally, our telemetry shows that the top 5 countries targeted by this specific campaign again include the United States (61%) and Canada (36%), and with Italy and Cyprus again showing up, but this time with Germany included. These three countries have also seen activity averaging less than one percent.

Mitigation of the Malicious Spam Campaign

FortiGuard Labs recommends that all AV and IPS definitions are kept up to date on a continual basis, and that organizations maintain a proactive patching routine when vendor updates are available. If it is deemed that patching is not feasible, it is recommended that IPS be used for proximity control, also known as virtual patching, and that a risk assessment is conducted to determine additional mitigation safeguards within an environment.

In the meantime, organizations are strongly encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spearphishing attacks. They also need to encourage their employees to never open attachments from someone they don’t know, and to always treat emails from unrecognized/untrusted senders with caution.

Initial Access Mitigation: FortiMail or other secure mail gateway solutions can be used to block specific file types such as the ones outlined in this blog. FortiMail can also be configured to send attachments to our FortiSandbox solution (ATP), either on-premises or in the cloud, to determine if a file displays malicious behavior. FortiGate firewalls with anti-virus enabled, combined with a valid subscription, are able detect and block this threat if properly configured.

Execution: Since it has been reported that this threat has been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization are made aware of the various types of attacks being delivered using this method. This can be accomplished through regular training sessions and impromptu tests using predetermined templates by internal security departments within an organization. Simple user awareness training on how to spot emails with malicious attachments or links could stop initial access into the network.

Fortinet Solutions: If user awareness training fails and a user opens a malicious attachment or link, FortiEDR is able to prevent TrickBot from executing. FortiClient running the latest up-to-date virus signatures will also detect and block this file and associated files. The file(s) highlighted in our report are currently being detected with the current definition: 

78.072 (Added Jun 10, 2020)

Exfiltration and C&C: A FortiGate located at each of your ingress and egress points with its Web Filtering service enabled, and with up-to-date definitions and/or Botnet Security enabled will detect and block any observable outbound connections if configured correctly.

Web Filtering: All network IOCs in this report have been placed on the block list by the FortiGuard Web Filtering service.

Malicious Word Document Protection: FortiGuard CDR (Content Disarm & Reconstruction) supported by FortiMail and FortiGate, processes all incoming files, deconstructs them, and then strips all active content from those files in real-time to create a flat, sanitized file. CDR fortifies zero-day file protection strategies by proactively removing any possibility of malicious content in your files.

Other Fortinet Safeguards: It is important to note that as attacks continue to become more sophisticated they can sometimes circumvent your security defenses. This is why it is important to ensure that, in addition to a layered security strategy, you also have the ability to detect anomalous activity that could be malicious.

In addition, our Enterprise Bundle addresses this and similar attacks. The Enterprise Bundle consolidates all the cybersecurity services you need to protect and defend against all cyberattack channels, from the endpoint to the cloud, including IoT devices, providing you with the integrated defense needed to tackle today’s advanced threats such as the one outlined here, as well as address today's challenging risk, compliance, management, visibility, and Operational Security (OT) concerns.


Spearphishing Attachment

ID: T1193

Tactic: Initial Access

Platform: Windows


ID: T1064

Tactic: Defense Evasion, Execution

Platform: Windows

Defense Evasion

ID: T1064

Tactic: Defense Evasion, Execution

Platform: Windows

Standard Application Layer Protocol

ID: T1071

Tactic: Command And Control

Platform: Windows

Standard Cryptographic Protocol

ID: T1032

Tactic: Command And Control

Platform: Windows

Indicators of Compromise

File name: e-vote_form_78211.doc

[SHA256 - 35E1F022861474407246F0C66218A83019381E8745E4C6B294CF150F401C16DC

Detected as: VBA/Agent.KJMLBSB!tr

Network IOCs:

Other Samples Related to this Campaign:

Detected as VBA/Agent.KJMLBSB!tr:





























Empowering CTA 

FortiGuard Labs has shared the findings in this report with fellow Cyber Threat Alliance members, including file samples and indicators of compromise. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. For more information on the Cyber Threat Alliance, visit

Learn more about FortiGuard Labs threat research and the FortiGuard Security Subscriptions and Services portfolioSign up for the weekly Threat Brief from FortiGuard Labs. 

Learn more about Fortinet’s free cybersecurity training initiative or about the Fortinet Network Security Expert programNetwork Security Academy program, and FortiVet program.

Know your vulnerabilities – get the facts about your network security. A Fortinet Cyber Threat Assessment can help you better understand: Security and Threat Prevention, User Productivity, and Network Utilization and Performance.