Researchers Uncover New Malspam Campaign Exploiting #Election2020 Controversy

Written by

A new malspam campaign designed to exploit controversies surrounding the ongoing US election has been uncovered by Malwarebytes.

The cybersecurity firm’s R&D team said that the campaign delivers malicious attachments through exploiting doubts about the legitimacy of the election process.

This comes as results are still waiting to be confirmed in several key states amid a highly emotive and dramatic Presidential election. Controversy has centered around the huge rise in postal ballots amid the COVID-19 pandemic, leading to votes continuing to be counted beyond election day.

Current President Donald Trump has declared the situation “a fraud on the American public” and called on counting to stop in Pennsylvania, Wisconsin, Georgia and Michigan. His campaign has subsequently launched legal actions in several states, alleging irregularities.

Claims that votes likely to be for Donald Trump would not be counted have been repeated across social media, leading to growing tension in areas such as Arizona, where around 200 Republican supporters reportedly descended on the Maricopa County Recorder’s Office.

It appears as though threat actors have quickly sought to exploit these tensions through the development of this new malspam campaign. Malwarebytes explained that the QBot banking Trojan operators then return with another themed spam wave using the same hijacked email thread technique to entice victims to open documents about alleged election interference. These emails come as thread replies to add legitimacy and make detection harder.

The emails contain a zip file named ElectionInterference_[8 to 9 digits].zip. This is actually an Excel spreadsheet designed to appear as if it is a DocuSign file, and users are tricked into allow macros to ‘decrypt’ the document, which will subsequently download a malicious payload onto their machine.

Once executed, the QBot Trojan can steal and exfiltrate data from its victims as well as grab emails that will be used as part of later malspam campaigns.

Commenting on the story, Chad Anderson, senior security researcher at Domaintools, said: “Cyber-criminals’ opportunism is nothing new: to every major geopolitical event corresponds an effort on the part of threat actors to exploit people's reactiveness to the issue for their own gains. Fortunately, governmental agencies and vendors alike have been warning users of the danger of election-themed scams well ahead of November 3, which hopefully means that most potential victims were able to spot the suspicious nature of Qbot's message.”

The greater use of technology for campaigning and to facilitate voting in recent elections, and especially in this year’s US ‘pandemic’ election, have increased opportunities for voter fraud and disinformation.

Speaking to Infosecurity, Kacey Clark, threat researcher at Digital Shadows, said: “The technology used in election voting processes has always been a concern as it pertains to cybersecurity. Many of us fill in paper ballots while other districts have started primarily using ballot marking devices (BMDs) or direct-recording electronic (DRE) voting machines. Although security practitioners have demonstrated the simplicity of physically tampering with voting machines, no confirmed attacks have been observed at this time. Improving and fortifying election software and hardware is imperative to election integrity, and we still have a lot of work to do.”

Victoria Mosby, federal mobile security expert at Lookout, added: “The 2020 election has seen a large uptick in the use of social media technology for reaching potential voters. COVID-19 has forced people to stay home, which means traditional canvassing has been replaced by Facebook ads, YouTube videos and tweets to galvanize voters into action.

“Social media platforms have taken major steps to improve their security and protection against disinformation and attacks by third-party actors. In particular, Facebook and Twitter are seen as the largest platform for disinformation and both have gone to great lengths to counter this issue. For instance, Twitter has announced a number of new measures to take down tweets that might call for violence around the election results.”

What’s hot on Infosecurity Magazine?