The campaign asks users to download NetSupport Manager which is a remote administration tool
and that is commonly used by hackers to gain control of devices.
Microsoft has issued a warning about the massive Covid-19-themed phishing campaigns which are
on the loose and cybercriminals are using this to extract information. The campaign asks users to
download NetSupport Manager which is a remote administration tool and that is commonly used by
hackers to gain control of devices.
“We’re tracking a massive campaign that delivers the legitimate remote access tool NetSupport
Manager using emails with attachments containing malicious Excel 4.0 macros. The COVID-19
themed campaign started on May 12 and has so far used several hundreds of unique attachments,”
said Microsoft’s Security Intelligence team.
Microsoft explains how this works
Microsoft also went on to explain how the phishing attack works. The users are sent a phishing email
with an Excel attachment named “’covid_usa_nyt_8072.xls’ and this shows statistics on the Covid-19 deaths in the US. The data is said to be based on New York Times. If the source of the email is looked
into, it finds its source from John Hopkins Center.
Now, once a user downloads the sheet, there is a pop-up which says “Enable Content.” If the user
then clicks on it, hackers will be able to install the NetSupport Manager client sitting away from a
remote site. Once the hackers get control, they can get access of the devise and have entire control
on the system.
It is also interesting here that the remote administration tool looks like a legitimate Windows’
Manager box and this makes it difficult for users to understand whether or not it is a fake.
“The NetSupport RAT used in this campaign further drops multiple components, including several
.dll, .ini, and other .exe files, a VBScript, and an obfuscated PowerSploit-based PowerShell script. It
connects to a C2 server, allowing attackers to send further commands”Microsoft added.
“We’ve been notified of a phishing attack that claim to come from us w/ the title “WHO COVID-19
SITUATION REPORT” We don’t send attachments in our daily update. Pls double check email address of sender & don’t download files from unknown sources,” Johns Hopkins Center said in a tweet.