New COVID-19-themed Malware Campaign Spreading through Emails

Microsoft warns of a new COVID 19-related malware campaign spreading by email and using Excel 4.0 macros and NetSupport Manager to compromise systems.

The email is a favorite method for attackers to disseminate malware because it can be targeted or sent to many people at once. The main reason is that the intrusion uses the victim’s credulity as the primary means of infection.

In the case of the malware campaign identified by Microsoft, the email contains an Office file that uses the aging Excel 4.0 macros, which in turn deploy, when opened, a remote access tool named NetSupport Manager. Both are legit tools perverted by attackers to fulfill different malicious goals.

“The emails purport to come from Johns Hopkins Center bearing ‘WHO COVID-19 SITUATION REPORT’”, said Microsoft on Twitter. “The Excel files open w/ security warning & show a graph of supposed coronavirus cases in the US. If allowed to run, the malicious Excel 4.0 macro downloads & runs NetSupport Manager RAT.”

Once the NetSupport Manager RAT is deployed, further files are downloaded, including a few .dll, .ini, and other .exe files, a VBScript, and an obfuscated PowerSploit-based PowerShell script. When the procedure is complete, it connects to a Command and Control center to await further commands.

This type of attack existed before the pandemic, but the criminals have adjusted their strategy to make their emails more appealing, increasing the likelihood of someone opening it.

It goes without saying that people should not open emails and attachments from unknown sources and should always have a security solution installed on their endpoints. It’s crucial to keep macros set to Off by default in Microsoft Office.

Also, keep in mind that the government and health authorities don’t communicate with people through email or use it to send updates and situation reports. If you receive such an email, it’s likely part of a malware campaign.

*** This is a Security Bloggers Network syndicated blog from HOTforSecurity authored by Silviu STAHIE. Read the original post at: