Microsoft warns of a massive COVID-19 themed phishing campaign that allows hackers to install NetSupport Manager remote access tool to get remote access of a device. The security team at Microsoft has provided detailed information about the phishing campaign in a series of tweets.
According to the Microsoft Security Intelligence team, the COVID-19 themed campaigns started on May 12 and have already used several hundreds of unique attachments. In the tweets, the team also mentioned that they are tracking the campaign.
Hackers send emails to the target victims as a part of their phishing campaign. It claims to come from Johns Hopkins Center with "WHO COVID-19 SITUATION REPORT". These emails contain excel files that open with a security warning and display a graph with coronavirus cases in the USA. However, the excel files contain malicious excel 4.0 macro downloads which if allowed to run, runs, and downloads NetSupport Manager RAT (Remote Access Tool). This tool is known for being used by hackers to gain remote access to devices where they can run commands.
The team stated that there has been a steady increase in the use of malicious Excel 4.0 macros in malware campaigns. In April, the Excel 4.0 campaigns started using the COVID-19 themed lures.
Further, the Microsoft team stated that these Excel files make of ‘highly obfuscated formulas' that link to the same URL to download the payload.
The NetSupport RAT used in the COVID-19 themed phishing campaign comes with several other components such as .ini, .dll, and other .exe files, a VBScript, and a PowerSploit-based PowerShell script. These components connect to a C2 server easily allowing attackers to send further commands.