Phishing campaigns using emails are not new, but now there is a novel approach adopted by would-be threat actors. Playing on people’s fears and concerns about the Covid-19 pandemic, a sustained phishing campaign using subject lines such as, ‘WHO Covid-19 Situation Report’ has been deployed since May 12 this year.
Microsoft Security Intelligence Team has issued an alert about a phishing campaign using Covid-19 related email attachments.
According to the Intelligence Team, this campaign ‘utilises hundreds of unique Excel files with highly obfuscated formulas’. However, all of them connect to the same URL to download the payload. NetSupport Manager is popular with threat actors who want to gain remote access to and run commands on compromised machines.
If the phishing attempt is successful, the threat actor will have total access to the user’s PC, files, and programs even if the device is running an effective anti-malware or antivirus software.
While some emails are supposedly from John Hopkins University, others, seemingly, offer Covid-19 testing services and information pertaining to the virus.
We’re tracking a massive campaign that delivers the legitimate remote access tool NetSupport Manager using emails with attachments containing malicious Excel 4.0 macros. The COVID-19 themed campaign started on May 12 and has so far used several hundreds of unique attachments. pic.twitter.com/kwxOA0pfXHMay 18, 2020
Antivirus is not a safeguard against this attack
An Excel document entitled ‘WHO Covid-19 Situation Report’ is embedded with a code that stealthily installs the popular remote access tool, NetSupport Manager. When an unsuspecting user opens such a document, the threat actor gains control of the PC, including all files and programs.
In the process, other potentially harmful malware is also installed, which, thankfully, can be detected and dealt with by the antivirus software. As NetSupport Manager is an official program, antivirus software won’t take any action against it.
Firstly, users must read all the subject lines in their email carefully before opening them. Moreover, the person sending the email should be known to the user before opening the email which supposedly offers authoritative information about Covid-19.