In a series of tweets, Microsoft Security Intelligence researchers warned of a complex spear-phishing campaign related to COVID-19. The global COVID-19 pandemic has given rise to various kinds of criminal activity, including cybercrime. In particular, these phishing emails, and their variants like spear-phishing, prey on global citizens’ insecurities and fears related to the COVID-19. In the case of many of these phishing emails, the subject line will relate to supposedly important developments in the fight against the virus, only to link to malicious websites or .EXE files.
The Microsoft Security Intelligence researchers stated the following in the Twitter thread about the campaign:
We’re tracking a massive campaign that delivers the legitimate remote access tool NetSupport Manager using emails with attachments containing malicious Excel 4.0 macros. The COVID-19 themed campaign started on May 12 and has so far used several hundreds of unique attachments... The hundreds of unique Excel files in this campaign use highly obfuscated formulas, but all of them connect to the same URL to download the payload. NetSupport Manager is known for being abused by attackers to gain remote access to and run commands on compromised machines... The NetSupport RAT used in this campaign further drops multiple components, including several .dll, .ini, and other .exe files, a VBScript, and an obfuscated PowerSploit-based PowerShell script. It connects to a C2 server, allowing attackers to send further commands.
We’re tracking a massive campaign that delivers the legitimate remote access tool NetSupport Manager using emails with attachments containing malicious Excel 4.0 macros. The COVID-19 themed campaign started on May 12 and has so far used several hundreds of unique attachments. pic.twitter.com/kwxOA0pfXH
— Microsoft Security Intelligence (@MsftSecIntel) May 18, 2020
The emails in question all feature subject lines related to the World Health Organization. They claim to be official reports on COVID-19 from the WHO and hope that victims are fooled into clicking on the malicious hyperlink. It should go without saying that the WHO is not going to contact you at random to give official updates. Anything along these lines should be assumed to be nothing more than an attempt to steal data, infect your device, or a combination of the two. As long as this COVID-19 crisis continues, these types of campaigns will only increase (so long as they are effective).
Even though it is an incredibly frightening and uncertain time for the world, do not let criminals take advantage of your fears. With a little common sense, these individuals can be stopped in their tracks.
Featured image: Designed by Freepik