Microsoft is warning users of a massive Covid-19 themed phishing campaign that installs the NetSupport Manager remote administration tool to completely take over a user’s system and even execute commands on it remotely.
The Microsoft Security Intelligence team provided further details on this ongoing campaign in a series of tweets in which it said that cybercriminals are using malicious Excel attachments to infect user’s devices with a remote access trojan (RAT).
The attack begins with potential victims receiving an email that impersonates the John Hopkins Center. This email claims to provide victims with an update on the number of coronavirus-related deaths in the US. However, attached to the email is an Excel file that displays a chart showing the number of deaths in the US.
When a user opens the Excel file, it then prompts them to ‘Enable Content’ and doing this executes the file’s malicious macros which download and install the NetSupport Manager client from a remote site.
Covid-19 themed phishing campaign
In a tweet, the Microsoft Security Intelligence team explained that all of the different Excel files used in the campaign all connect to the same URL, saying:
“The hundreds of unique Excel files in this campaign use highly obfuscated formulas, but all of them connect to the same URL to download the payload. NetSupport Manager is known for being abused by attackers to gain remote access to and run commands on compromised machines.”
While the NetSupport Manager is actually a legitimate remote administration tool, it is commonly distributed among hacking communities who use it as a RAT. Once a user unknowingly installs the NetSupport Manager on their computer, it allows hackers to gain complete control over the infected machine and execute commands on it remotely. The NetSupport Manager RAT is then used to compromise a victim’s computer further by installing additional tools and scrips.
Those who have fallen victim to this phishing campaign should assume that their data has been compromised and that hackers have tried to steal their passwords. Once the infected device has been cleaned, users should change all of their passwords as well as those belonging to other computers on their network.