New COVID-19-themed Malware Campaign Spreading through Emails

Microsoft warns of a new COVID 19-related malware
campaign spreading by email and using Excel 4.0 macros and NetSupport Manager
to compromise systems.

The email is a favorite method for attackers to
disseminate malware because it can be targeted or sent to many people at once.
The main reason is that the intrusion uses the victim’s credulity as the
primary means of infection.

In the case of the malware campaign identified by
Microsoft, the email contains an Office file that uses the aging Excel 4.0
macros, which in turn deploy, when opened, a remote access tool named
NetSupport Manager. Both are legit tools perverted by attackers to fulfill
different malicious goals.

“The emails purport to come from Johns Hopkins
Center bearing ‘WHO COVID-19 SITUATION REPORT’”, said
Microsoft on Twitter. “The Excel files open w/ security warning & show
a graph of supposed coronavirus cases in the US. If allowed to run, the
malicious Excel 4.0 macro downloads & runs NetSupport Manager RAT.”

Once the NetSupport Manager RAT is deployed, further
files are downloaded, including a few .dll, .ini, and other .exe files, a
VBScript, and an obfuscated PowerSploit-based PowerShell script. When the
procedure is complete, it connects to a Command and Control center to await
further commands.

This type of attack existed before the pandemic, but the
criminals have adjusted their strategy to make their emails more appealing,
increasing the likelihood of someone opening it.

It goes without saying that people should not open emails
and attachments from unknown sources and should always have a security solution
installed on their endpoints. It’s crucial to keep macros set to Off by default
in Microsoft Office.

Also, keep in mind that the government and health
authorities don’t communicate with people through email or use it to send
updates and situation reports. If you receive such an email, it’s likely part
of a malware campaign.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top