Microsoft’s Security Intelligence team has warned that it has been tracking a “massive” phishing campaign that attempts to install a remote access tool onto PCs by tricking users into opening email attachments containing malicious Excel 4.0 macros.
Microsoft said thethemed campaign started on May 12, and has so far used several hundreds of unique attachments.
The emails being sent out claim to come from the Johns Hopkins Center bearing the title “WHO COVID-19 SITUATION REPORT”. If the recipient attempts to open the attached Excel files it will open with a security warning, and show a graph of supposed coronavirus cases in the US. But if allowed to run, the malicious Excel 4.0 macro also downloads and runs NetSupport Manager.
While NetSupport Manager is a legitimate remote access tool, it’s known for being abused by attackers to gain remote access to – and run commands on – compromised machines, Microsoft said. It connects to a command-and-control (C&C) server, allowing attackers to send further commands.
“For several months now, we’ve been seeing a steady increase in the use of malicious Excel 4.0 macros in malware campaigns. In April, these Excel 4.0 campaigns jumped on the bandwagon and started using COVID-19 themed lures,” Microsoft’s Security Intelligence team said in a series of tweets.
The team said that while the hundreds of unique Excel files in this campaign use “highly obfuscated formulas”, all of them connect to the same URL to download the payload.
This is not the only new security threat Microsoft’s security team has spotted: it has also warned of a new Trickbot campaign, launched on May 18, that uses emails claiming to offer a “personal coronavirus check” – a variation of the “free COVID-19 test” seen in previous Trickbot spam runs. Trickbot remains one of the most common payloads in COVID-19 themed campaigns.