Posts: 192 +26
The phishing campaign, as detailed by Microsoft's Security Intelligence team via Twitter, has been circulating since at least May 12th and comes with a Covid-19 lure to bait users into opening the email and accompanying attachment.
"We’re tracking a massive campaign that delivers the legitimate remote access tool NetSupport Manager using emails with attachments containing malicious Excel 4.0 macros. The Covid-19 themed campaign started on May 12 and has so far used several hundreds of unique attachments," said Microsoft's Security Intelligence team through several tweets.
We’re tracking a massive campaign that delivers the legitimate remote access tool NetSupport Manager using emails with attachments containing malicious Excel 4.0 macros. The COVID-19 themed campaign started on May 12 and has so far used several hundreds of unique attachments. pic.twitter.com/kwxOA0pfXH— Microsoft Security Intelligence (@MsftSecIntel) May 18, 2020
The emails claim to originate from The Johns Hopkins Center with titles like "WHO COVID-19 SITUATION REPORT." The emails contain attached Microsoft Excel files alleged to contain statistics on Covid-19 cases, and if opened, will use Excel 4.0 macros to install and run NetSupport Manager. While NetSupport Manager is a legitimate tool for remote control and desktop access, Microsoft claims it's known to be abused by attackers to run code on compromised machines.
From there, the NetSupport RAT (Remote Access Tool) connects to a C2 server to administer more commands, and also runs "several .dll, .ini, and other .exe files, a VBScript, and an obfuscated PowerSploit-based PowerShell script."
Microsoft's Security Intelligence Team notes that it has been seeing a steady increase in the use of Exel 4.0 macros deployed in malicious campaigns. And since April, the team has been seeing malicious Exel 4.0 macros combined with Covid-19 lures to slip under potential victims' radars.
Masthead credit: Wachiwit