 "Microsoft alerts about a COVID-19 phishing attack in which malicious Excel attachments are being sent via email"){kind=logo}
Microsoft has cautioned its users about a COVID-19-themed phishing attack, in which hackers send malicious Excel attachments to people through emails to get remote access. “We’re tracking a massive campaign that delivers the legitimate remote access tool NetSupport Manager using emails with attachments containing malicious Excel 4.0 macros,” Microsoft
wrote on Twitter. The company posted a number of tweets to explain how this campaign is being run. [caption id=“attachment_6445311” align=“alignnone” width=“1280”] Microsoft logo. Representational image.[/caption]
We’re tracking a massive campaign that delivers the legitimate remote access tool NetSupport Manager using emails with attachments containing malicious Excel 4.0 macros. The COVID-19 themed campaign started on May 12 and has so far used several hundreds of unique attachments. pic.twitter.com/kwxOA0pfXH
— Microsoft Threat Intelligence (@MsftSecIntel) May 18, 2020
Hackers send emails that pretend to be from Johns Hopkins Center with subject “WHO COVID-19 SITUATION REPORT”. These mails include Excel files that provide graphical representation of the coronavirus data. However, in reality, they contain malicious Excel 4.0 macros.
The emails purport to come from Johns Hopkins Center bearing "WHO COVID-19 SITUATION REPORT". The Excel files open w/ security warning & show a graph of supposed coronavirus cases in the US. If allowed to run, the malicious Excel 4.0 macro downloads & runs NetSupport Manager RAT. pic.twitter.com/gXbxZOGpZf
— Microsoft Threat Intelligence (@MsftSecIntel) May 18, 2020
“The hundreds of unique Excel files in this campaign use highly obfuscated formulas, but all of them connect to the same URL to download the payload,” said the company. NetSupport Manager is used by attackers to gain remote access and run commands on compromised machines. Microsoft has informed that it has observed a steady increase in the use of malicious Excel 4.0 macros for several months. It added that last month these campaign started approaching people using COVID-19 themes.
For several months now, we’ve been seeing a steady increase in the use of malicious Excel 4.0 macros in malware campaigns. In April, these Excel 4.0 campaigns jumped on the bandwagon and started using COVID-19 themed lures.
— Microsoft Threat Intelligence (@MsftSecIntel) May 18, 2020
“The NetSupport RAT used in this campaign further drops multiple components, including several .dll, .ini and other .exe files, a VBScript, and an obfuscated PowerSploit-based PowerShell script. It connects to a C2 server, allowing attackers to send further commands,” the OS maker said. Microsoft in April published its monthly security patch for 113 vulnerabilities across 11 products, including three zero-day bugs. CVE-2020-1020 was **one of the three zero-day vulnerabilities** in the Windows Adobe Type Manager Library which allowed attackers to run code on susceptible systems. The second zero-day bug was CVE-2020-0938, it let attackers carry out attacks remotely. CVE-2020-1027 was the third one and it was found in Windows kernel.
 "Charlie Kirk, shot dead in Utah, once said gun deaths are 'worth it' to save Second Amendment")
 "From governance to tourism, how Gen-Z protests have damaged Nepal")
 "Did Russia deliberately send drones into Poland’s airspace?")
 "Netanyahu ‘killed any hope’ for Israeli hostages: Qatar PM after Doha strike")
 "Charlie Kirk, shot dead in Utah, once said gun deaths are 'worth it' to save Second Amendment")
 "From governance to tourism, how Gen-Z protests have damaged Nepal")
 "Did Russia deliberately send drones into Poland’s airspace?")
 "Netanyahu ‘killed any hope’ for Israeli hostages: Qatar PM after Doha strike")
