Microsoft is warning of a major new COVID-19 phishing campaign using malicious Excel macros to achieve remote access of victims’ machines via a legitimate support tool.
Microsoft Security Intelligence revealed the news in a series of tweets, claiming the campaign began on May 12.
“The emails purport to come from Johns Hopkins Center bearing ‘WHO COVID-19 SITUATION REPORT.’ The Excel files open w/ security warning & show a graph of supposed coronavirus cases in the US. If allowed to run, the malicious Excel 4.0 macro downloads & runs NetSupport Manager RAT,” it explained.
“For several months now, we’ve been seeing a steady increase in the use of malicious Excel 4.0 macros in malware campaigns. In April, these Excel 4.0 campaigns jumped on the bandwagon and started using COVID-19 themed lures.”
In this respect, the campaign is similar to many others that have been launched over recent weeks and months, with cyber-criminals effectively rebranding existing content with COVID-19 themes to increase success rates.
Google claimed it has been blocking over 240 million COVID-themed spam messages each day, and 18 million malware and phishing emails.
“The hundreds of unique Excel files in this campaign use highly obfuscated formulas, but all of them connect to the same URL to download the payload. NetSupport Manager is known for being abused by attackers to gain remote access to and run commands on compromised machines,” Microsoft said of the latest RAT campaign.
“The NetSupport RAT used in this campaign further drops multiple components, including several .dll, .ini, and other .exe files, a VBScript, and an obfuscated PowerSploit-based PowerShell script. It connects to a C2 server, allowing attackers to send further commands.”
In the UK, these kinds of emails should be reported to the National Cyber Security Centre’s Suspicious Email Reporting Service, but this first requires the presence-of-mind to do so from employees.
“The advice for organizations and employees is to remain vigilant to this new kind of threat, and to deploy training as regularly as possible to make sure individuals remain aware,” advised DomainTools malware researcher, Tarik Saleh. “Phishing is at its core an attack on people, and people remain the best defense against it, in addition to ensuring proper processes remain in place.”