Microsoft is warning users of a massive phishing campaign using malicious Excel files and fake COVID-19 news designed to install software that can allow hackers to take over end user computers.
In a series of Tweets earlier this week, Microsoft Security Intelligence tweeted that the company is tracking a “massive campaign” that installs the legitimate remote access tool NetSupport Manager via emails with attachments containing malicious Excel files.
We’re tracking a massive campaign that delivers the legitimate remote access tool NetSupport Manager using emails with attachments containing malicious Excel 4.0 macros. The COVID-19 themed campaign started on May 12 and has so far used several hundreds of unique attachments. pic.twitter.com/kwxOA0pfXH
— Microsoft Security Intelligence (@MsftSecIntel) May 18, 2020
The emails are designed to take advantage of the constant stream of COVID-19 news and purport to come from John Hopkins Coronavirus Research Center, one of the leading institutions tracking and fighting the virus. The emails contain the subject line, “WHO COVID-19 SITUATION REPORT.”
The files open with a security warning and show a graph of supposes COVID-19 cases in the U.S.
“If allowed to run, the malicious Excel 4.0 macro downloads & runs NetSupport Manager RAT,” Microsoft tweeted.
NetSupport Manager is a legitimate remote access tool, but it is also known as an effective hacking tool that lets attackers gain access to and run commands on compromised machines.
Microsoft Security Intelligence says those kind of attacks using Excel 4.0 macros have been steadily increasing. In April, those campaigns “jumped on the bandwagon and started using COVID-19 themed lures.”
Hundreds of unique Excel files in these attacks use highly obfuscated formulas, but they all connect to the same URL to download the payload.
“The NetSupport RAT used in this campaign further drops multiple components, including several .dll, .ini, and other .exe files, a VBScript, and an obfuscated PowerSploit-based PowerShell script. It connects to a C2 server, allowing attackers to send further commands,” Microsoft tweeted.
Microsoft providers more information about how the company prevents these kind of attacks on its security blog.