Microsoft has issued an alert to users concerning a new widespread COVID-19 themed phishing campaign that installs the NetSupport Manager remote administration tool to completely take over a user’s system and execute commands on it remotely.
Microsoft Security Intelligence team provided further details on the ongoing campaign, saying that cybercriminals were using malicious Excel attachments to infect user’s devices with a remote access trojan (RAT).
The attack begins with potential victims receiving an email that impersonates the John Hopkins Center.
“This increases the chances of attacks without the proper security checks in place, but coupled with authentic-looking emails with a genuine reason to use remote software, it becomes a plausible con. Moreover, it would seem many people have relaxed their barrier to phishing scams amid the desperation to find the latest COVID-19 news, so when scammers use names like John Hopkins University, this seems to be working better than the classic Netflix or HMRC scams,” he explains.
Microsoft says, “We’re tracking a massive campaign that delivers the legitimate remote access tool NetSupport Manager using emails with attachments containing malicious Excel 4.0 macros. The COVID-19 themed campaign started on May 12 and has so far used several hundreds of unique attachments.
“The emails purport to come from Johns Hopkins Center bearing “WHO COVID-19 SITUATION REPORT”. The Excel files open w/ security warning & show a graph of supposed coronavirus cases in the US. If allowed to run, the malicious Excel 4.0 macro downloads & runs NetSupport Manager RAT,”.
“For several months now, we’ve been seeing a steady increase in the use of malicious Excel 4.0 macros in malware campaigns. In April, these Excel 4.0 campaigns jumped on the bandwagon and started using COVID-19 themed lures.
“The hundreds of unique Excel files in this campaign use highly obfuscated formulas, but all of them connect to the same URL to download the payload. NetSupport Manager is known for being abused by attackers to gain remote access to and run commands on compromised machines. The NetSupport RAT used in this campaign further drops multiple components, including several .dll, .ini, and other .exe files, a VBScript, and an obfuscated PowerSploit-based PowerShell script. It connects to a C2 server, allowing attackers to send further commands.”