Microsoft Warns of Massive COVID-19 Themed Phishing Campaign That Lets Attackers Gain Remote Access

Microsoft says a massive COVID-19 themed phishing campaign is underway, as a part of which attackers install the NetSupport Manager remote access tool to gain remote access. The new campaign, which was detected by the Microsoft Security Intelligence team, started on May 12. The malware payload comes through malicious Excel attachments that are being sent by the attackers via emails. Notably, this isn't the first time when cyber-attackers are using COVID-19 as an opportunity to hack people. Companies including Google have already warned about the increase in such phishing attacks.

Through a series of tweets, the Microsoft Security Intelligence team has detailed the ongoing phishing attacks. The team says that the campaign delivers the NetSupport Manager using emails with attachments containing malicious Excel 4.0 macros.

As per the details provided by the Microsoft team, the attack begins with emails that pretend to come from Johns Hopkins Center and show details about the active COVID-19 cases in the US. However, in reality, the emails include Excel files that once open, show a graphical representation of the coronavirus data. However, the files also include malicious Excel 4.0 macros that will prompt users to “Enable Content”. This begins the download and installation process of the NetSupport Manager client from a remote site.

Microsoft's researchers have found that emails pretend to come from John Hopkins Center carry malicious Excel files
Photo Credit: Twitter/ Microsoft Security Intelligence

“For several months now, we've been seeing a steady increase in the use of malicious Excel 4.0 macros in malware campaigns. In April, these Excel 4.0 campaigns jumped on the bandwagon and started using COVID-19 themed lures,” the team notes in one of its tweets.

Once the remote access tool is installed on a victim's system, the attackers can access and run commands remotely.

In a particular case, the Microsoft team has noticed that the NetSupport Manager was used to drop multiple components, including some executable files and establish connectivity with a C2 server to enable further commands from the attackers.

Pay attention to what you're downloading from emails
Users are recommended to avoid paying attention to random emails and verify email addresses from where they're receiving new emails before downloading the included attachments. Also, it is suggested to immediately change passwords if you find any odd behaviour on your system.

How are we staying sane during this Coronavirus lockdown? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts or RSS, download the episode, or just hit the play button below.