Microsoft Warns of COVID-19 Phishing Emails Spreading RATMalicious Messages Attempt to Install NetSupport Manager Tool on Devices
An ongoing "massive" COVID-19-themed phishing campaign is attempting to install the NetSupport Manager remote access tool on Windows devices, according to a series of alerts from the Microsoft Security Intelligence team.
NetSupport Manager is a legitimate administrative tool for remote system administrative access, but attackers can turn this tool into a remote access Trojan, or RAT. This then gives threat actors complete control over an infected device and gives them the ability to move laterally through other parts of the targeted network.
This latest phishing campaign to leverage the COVID-19 pandemic started on May 12 and is ongoing, according to Microsoft. It's also using "several hundred" unique attachments, mainly malicious Excel documents that hide the NetSupport Manager.
"The hundreds of unique Excel files in this campaign use highly obfuscated formulas, but all of them connect to the same URL to download the payload," according to Microsoft. "NetSupport Manager is known for being abused by attackers to gain remote access to and run commands on compromised machines."
The Microsoft alert did not say if this phishing campaign was targeting to a particular geographic region, or how successful these attacks have been so far. Earlier this month, the company sent out another warning about a malicious spam campaign leveraging a COVID-19 theme and targeting victims in the U.S. and South Korea. These attacks were also attempting to install RATs on infected devices (see: Malspam Campaigns Attempt to Install Remote Access Trojans).
In the phishing campaign that Microsoft described this week, the attacks start with messages pretending to be sent from the Johns Hopkins University, which has been a major source of news about COVID-19, offering daily updates on the number of infections and deaths worldwide.
These phishing emails include an attached malicious Excel file. If opened, it displays a New York Times report on COVID-19 deaths in the U.S.
Once the attachment is opened, malicious macros are enabled that prompt the user to "enable content." This allows the NetSupport Manager installation file to download onto the victim's device from a remote site controlled by the attackers, Microsoft reports.
In the next stage, the NetSupport Manager file is launched as a legitimate desktop Windows Manager executable, which further tricks the victims into granting other permissions that allow for the final payload to be downloaded onto the infected device.
In the final stage, malware then downloads additional components, such as Visual Basic script and an obfuscated PowerSploit-based PowerShell script, which then connect to the command-and-control server, according to Microsoft.
Attackers have been weaponizing the NetSupport Manager tool for some time. In March, for example, researchers at security firm Prevailion uncovered the Russian-based TA505 threat group conducting a business email compromise attack that embedded NetSupport into a victim's Google Drive account to enable remote access control (see: BEC Campaign Targets HR Departments: Report)
Other Phishing Attacks
The number of phishing attack using COVID-19 have been on the rise over the past two months. Security firm Check Point Software discovered nearly 20,000 newly registered domains over the past month are using either COVID-19 or coronavirus as part of their name. Of these websites, 17% were considered suspicious or malicious, according to the company's report.
On May 14, security firm Proofpoint uncovered a series of phishing campaigns using spoofed website templates with COVID-19 themes to launch attacks designed to steal login credentials and banking data (see: Spoofed Website Templates Help Spread COVID-19 Scams: Report)