Custom Quick Reference Information Directories
GCC Blog

We hope you find our articles informative and interesting. If you'd like to receive our monthly newsletter with articles like these, please take a minute to sign up.

Microsoft: Beware of ‘Massive’ Excel, COVID-19 Phishing Scam

June 1st, 2020 by Guest Communications


Written by: Zachary Comeau, May 28, 2020

Microsoft is warning users of a massive phishing campaign using malicious Excel files and fake COVID-19 news designed to install software that can allow hackers to take over end user computers.

In a series of Tweets earlier this week, Microsoft Security Intelligence said that the company is tracking a “massive campaign” that installs the legitimate remote access tool NetSupport Manager via emails with attachments containing malicious Excel files.

“The COVID-19 themed campaign started on May 12 and has so far used several hundreds of unique attachments,” the company tweeted.

The emails are designed to take advantage of the constant stream of COVID-19 news and purport to come from John Hopkins Coronavirus Research Center, one of the leading institutions tracking and fighting the virus. The emails contain the subject line, “WHO COVID-19 SITUATION REPORT.”

The files open with a security warning and show a graph of supposed COVID-19 cases in the U.S.

“If allowed to run, the malicious Excel 4.0 macro downloads & runs NetSupport Manager RAT,” Microsoft tweeted.

NetSupport Manager is a legitimate remote access tool, but it is also known as an effective hacking tool that lets attackers gain access to and run commands on compromised machines.

Microsoft Security Intelligence says those kinds of attacks using Excel 4.0 macros have been steadily increasing. In April, those campaigns “jumped on the bandwagon and started using COVID-19 themed lures.”

Hundreds of unique Excel files in these attacks use highly obfuscated formulas, but they all connect to the same URL to download the payload.

“The NetSupport RAT used in this campaign further drops multiple components, including several .dll, .ini, and other .exe files, a VBScript, and an obfuscated PowerSploit-based PowerShell script. It connects to a C2 server, allowing attackers to send further commands,” Microsoft tweeted.

Microsoft provides more information about how the company prevents these kind of attacks on its security blog.

This article originally ran in CS sister publication MyTechDecisions. Zach Comeau is TD’s web editor.

This article appeared on Campus Safety News and is shared with consent.

Guide to Guest Services
Fully customized vinyl information directories for your patients and their visitors. They are easy to update and easy to use.
Guide to Emergency Preparedness
Fully customized quick reference guides to help keep your staff prepared for emergencies.
Guide to Infection Control
Fully customized quick reference guide to help keep your staff prepared for safe infection prevention and control procedures.
Accessories for your guides
Protect your investment by utilizing one of our various mounting systems.
Other Popular Products
Customized products including 3-Ring Binders, Sports Memory Books, Menus, Hotel Directories, and more…