In a series of tweets, Microsoft’s Security Intelligence Team has warned users about an ongoing COVID-19 themed phishing campaign that installs NetSupport Manager remote administration tool (RAT) into Windows devices.
Microsoft’s Security Intelligence Team said the phishing campaign involves cyber criminals spreading a malware through various malicious Excel attachments included in phishing emails that pretend to be from the Johns Hopkins Centre. The excel sheet, titled covid_usa_nyt_8072.xls’, contains an update on the number of COVID-19 deaths in the United States.
“We’re tracking a massive campaign that delivers the legitimate remote access tool NetSupport Manager using emails with attachments containing malicious Excel 4.0 macros. The COVID-19 themed campaign started on May 12 and has so far used several hundreds of unique attachments,” Microsoft Security Intelligence tweeted.
Microsoft stated that this file contains malicious macros that prompt users to 'Enable Content'. Once enabled, the malicious macros will download and install the NetSupport Manager client from a remote site.
Microsoft has, however, confirmed that NetSupport Manager is a legitimate remote administration tool, frequently manipulated by cybercriminals as a remote access trojan. Once installed, the hacker can gain complete control of the compromised computer and can execute commands remotely.
The NetSupport Manager client, in this attack, will be saved in the computer as ‘dwm.exe’ file in a random folder named ‘%AppData%’ which will be difficult to notice by users viewing Task Manager. After a while, the victim's computer will be further compromised as the NetSupport Manager RAT would install other tools and scripts.
“The NetSupport RAT used in this campaign further drops multiple components, including several .dll, .ini, and other .exe files, a VBScript, and an obfuscated PowerSploit-based PowerShell script. It connects to a C2 server, allowing attackers to send further commands,” Microsoft added.
Users are advised to avoid paying attention to random emails and verify email addresses from where they're receiving new emails before downloading the included attachments. Also, it is suggested that after cleaning the infected device, users should change the passwords and the rest of the computers on the network should be investigated for infections.
Commenting on the phishing attack, Tarik Saleh, Senior Security Engineer and Malware Researcher at DomainTools (domaintools.com) told Teiss that “this kind of attack is definitely concerning, but not surprising. Cybercriminals are constantly looking for new and inventive ways to get around the increasingly complex defences deployed by enterprises, and by moderating a traditional phishing scam – hugely successful in their own right – to bypass multi-factor authentication, they have provided themselves with a template for cybercrime success.
“The advice for organisations and employees is to remain vigilant to this new kind of threat, and to deploy training as regularly as possible to make sure individuals remain aware. Phishing is at its core an attack on people, and people remain the best defence against it, in addition to ensuring proper processes remain in place,” he added.