Microsoft is warning of an ongoing COVID-19 themed phishing campaign that installs the NetSupport Manager remote administration tool.
In a series of tweets, the Microsoft Security Intelligence team outlines how this "massive campaign" is spreading the tool via malicious Excel attachments.
The attack starts with emails pretending to be from the Johns Hopkins Center, which is sending an update on the number of Coronavirus-related deaths there are in the United States.
Malicious COVID-19 themed email
Attached to this email is an Excel file titled 'covid_usa_nyt_8072.xls', that when opened, displays a chart showing the number of deaths in the USA based on data from the New York Times.
Malicious Excel document
As this document contains malicious macros, it will prompt the user to 'Enable Content'. Once clicked, malicious macros will be executed to download and install the NetSupport Manager client from a remote site.
"The hundreds of unique Excel files in this campaign use highly obfuscated formulas, but all of them connect to the same URL to download the payload. NetSupport Manager is known for being abused by attackers to gain remote access to and run commands on compromised machines," Microsoft tweeted.
The NetSupport Manager is a legitimate remote administration tool commonly distributed among the hacker communities to use as a remote access trojan.
When installed, it allows a threat actor to gain complete control over the infected machine and execute commands on it remotely.
In this particular attack, the NetSupport Manager client will be saved as the dwm.exe file under a random %AppData% folder and ..
Support the originator by clicking the read the rest link below.
