Microsoft warns of COVID-19-related spear-phishing campaign

In a series of tweets, Microsoft Security Intelligence researchers warned of a complex spear-phishing campaign related to COVID-19. The global COVID-19 pandemic has given rise to various kinds of criminal activity, including cybercrime. In particular, these phishing emails, and their variants like spear-phishing, prey on global citizens’ insecurities and fears related to the COVID-19. In the case of many of these phishing emails, the subject line will relate to supposedly important developments in the fight against the virus, only to link to malicious websites or .EXE files.

The Microsoft Security Intelligence researchers stated the following in the Twitter thread about the campaign:

We’re tracking a massive campaign that delivers the legitimate remote access tool NetSupport Manager using emails with attachments containing malicious Excel 4.0 macros. The COVID-19 themed campaign started on May 12 and has so far used several hundreds of unique attachments... The hundreds of unique Excel files in this campaign use highly obfuscated formulas, but all of them connect to the same URL to download the payload. NetSupport Manager is known for being abused by attackers to gain remote access to and run commands on compromised machines... The NetSupport RAT used in this campaign further drops multiple components, including several .dll, .ini, and other .exe files, a VBScript, and an obfuscated PowerSploit-based PowerShell script. It connects to a C2 server, allowing attackers to send further commands.

The emails in question all feature subject lines related to the World Health Organization. They claim to be official reports on COVID-19 from the WHO and hope that victims are fooled into clicking on the malicious hyperlink. It should go without saying that the WHO is not going to contact you at random to give official updates. Anything along these lines should be assumed to be nothing more than an attempt to steal data, infect your device, or a combination of the two. As long as this COVID-19 crisis continues, these types of campaigns will only increase (so long as they are effective).

Even though it is an incredibly frightening and uncertain time for the world, do not let criminals take advantage of your fears. With a little common sense, these individuals can be stopped in their tracks.

Featured image: Designed by Freepik

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Hardware RAID vs. software RAID: Pros and cons for each

RAID is a technique to virtualize independent disks into arrays for improved performance. Should you…

4 days ago

After the plague: What IT will look like in a post-COVID-19 world

COVID-19 has changed everything, but once it disappears, we will not go back to how…

4 days ago

Solved: Outlook defaults to Microsoft 365 version with Exchange server

An Exchange server with a hybrid connection to Microsoft 365 is usually pretty seamless —…

4 days ago

How chatbots are changing the way teams communicate internally

Chatots are primarily thought of as consumer-facing solutions. They bring life to customer interactions by…

4 days ago

Hakbit ransomware campaign targeting specific European countries

The newly uncovered Hakbit ransomware campaign spread via spear-phishing emails may indicate a shift in…

5 days ago

Credential stuffing: Everything you need to know to avoid being a victim

Credential stuffing is yet another weapon being used by cybercriminals. Here’s what credential stuffing is…

5 days ago