Microsoft has warned of massive Covid-19-themed phishing campaigns run by cybercriminals. The campaign involves luring users into downloading NetSupport Manager, a remote administration tool which is commonly used by hackers to gain control of users’ devices.
“We’re tracking a massive campaign that delivers the legitimate remote access tool NetSupport Manager using emails with attachments containing malicious Excel 4.0 macros. The COVID-19 themed campaign started on May 12 and has so far used several hundreds of unique attachments,” said Microsoft’s Security Intelligence team.
Microsoft also demonstrated how the phishing attack works. Users are sent a phishing email with an Excel attachment named “’covid_usa_nyt_8072.xls’ which shows statistics on the Covid-19 deaths in the US. The data is said to be based on New York Times. The source of the email pretends to be from John Hopkins Center.
Once the user downloads the sheet, it shows a prompt for “Enable Content.” If the user clicks on it, hackers successfully install the NetSupport Manager client from a remote site. Hackers after gaining control of the device can execute commands on the system remotely.
What’s interesting that the remote administration tool appears as legitimate Windows’ Manager box which makes it very difficult for users to identify it’s a fake.
“The NetSupport RAT used in this campaign further drops multiple components, including several .dll, .ini, and other .exe files, a VBScript, and an obfuscated PowerSploit-based PowerShell script. It connects to a C2 server, allowing attackers to send further commands,” Microsoft added.
Meanwhile, Johns Hopkins Center has also clarified that it never sends attachments in its email.
“We’ve been notified of a phishing attack that claim to come from us w/ the title “WHO COVID-19 SITUATION REPORT” We don’t send attachments in our daily update. Pls double check email address of sender & don’t download files from unknown sources,” the organization said in a tweet.
So, what’s the fix?
There has been a meteoric rise in the Covid-19 related cyber attacks, different studies show. For users, it’s important that they don’t rely on such emails for the information on the pandemic. While Gmail and Outlook are able to scan emails for viruses, some do slip up. For users, it’s important that they don’t click on such attachment from unknown sources.
To identify a phishing email, look at the spelling of the email address which is usually a spin off the original name. Avoid emails that call for urgent action or want you to download anything right away.