Researchers from the Microsoft Security Intelligence team provided some details on a new massive phishing campaign using COVID-19 themed emails.
The messages used weaponized Excel documents, the IT giant observed a spike in the number of malicious documents in malspam campaigns which use Excel 4.0 macros.
“For several months now, we’ve been seeing a steady increase in the use of malicious Excel 4.0 macros in malware campaigns. In April, these Excel 4.0 campaigns jumped on the bandwagon and started using COVID-19 themed lures.” states Microsoft in a Tweet.
The latest COVID-19 campaign began in April, the messages purport to be from the Johns Hopkins Center and use an Excel attachment. Once opened the attachment, it will show a graph of Coronavirus cases in the United States and trick the victims into enabling the macros to start the infection.
The macros drop a remote access tool (RAT) named NetSupport Manager, it is a legitimate application that is abused by attackers to take control over victim systems.
“The hundreds of unique Excel files in this campaign use highly obfuscated formulas, but all of them connect to the same URL to download the payload. NetSupport Manager is known for being abused by attackers to gain remote access to and run commands on compromised machines.” continues Microsoft.
The NetSupport RAT employed in this COVID-19-themed campaign also drops multiple components, including several .dll, .ini, and other .exe files, a VBScript, and an obfuscated PowerSploit-based PowerShell script. Then it connects to a command and control server, allowing threat actors to send further commands.
Below the Indicators of Compromise (IoCs) shared by Microsoft:
Below a list or recommendations to avoid this threat:
(SecurityAffairs – COVID-19, hacking)