Microsoft security team has warned of the progress of a “massive” phishing campaign that attempts to install a remote access tool on PCs by enticing users to open email attachments containing malicious Excel 4.0 macros.
According to Microsoft, the campaign, whose theme is COVID-19, started on May 12 and has used several hundred different attachments so far.
The emails sent purport to originate from the Johns Hopkins Center (one of the agencies that provide statistics on the epidemic) and bear the title “WHO COVID-19 SITUATION REPORT”. If the recipient attempts to open the attached Excel file, it will open with a security warning and display a graph of suspected cases of coronavirus in the United States. But if the malicious Excel 4.0 macro is allowed to run, it also downloads and runs NetSupport Manager.
NetSupport Manager, a completely legitimate remote access tool
Although NetSupport Manager is a completely legitimate remote access tool, it is known to be used also by attackers to remotely access and execute compromised machines, Microsoft said. It connects to a command and control server (C&C), which allows attackers to send commands.
“For several months now, we have seen a steady increase in the use of malicious Excel 4.0 macros in malware campaigns. In April, these Excel 4.0 campaigns started up and started using the COVID-19 theme. “said the Microsoft Security Intelligence team.
The team notes that while the hundreds of unique Excel files for this campaign use “very obscure formulas,” all of them connect to the same URL to download the payload.
This is not the only new threat that the Microsoft security team has recently detected: it has also warned of a new Trickbot campaign, launched on May 18, which uses emails on the Coronavirus. Trickbot is one of the most common payloads in COVID-19 thematic campaigns.