Microsoft Corporation is warning all users to steer clear of any suspicious mail they receive. The company is tracking a massive phishing campaign which the hackers are leading. However, the hackers gain remote access to any PC by tricking users to open a malicious Excel 4.0 macro. The entire cyber attack campaign started on May 12, 2020. The cybercriminals are targeting the COVID-19 campaign, in order to spread malware. Hundreds of unique attachments are causing such problems for the people out there.
All of these emails bear the title of the research institute, Johns Hopkins Center. The subject line reads something similar to that of “COVID-19 SITUATION REPORT WHO OFFICIAL“. However, if you attempt to open this file, it will open a malicious Excel 4.0 macro in your system. This macro will download and run the NetSupport Manager remotely in your system in order to gain access.
Trickbot remains to be one of the most common payloads in COVID-19 themed campaigns. A new Trickbot campaign that launched on May 18 uses emails that claim to offer "personal coronavirus check", an iteration of the "free COVID-19 test" we’ve seen in previous Trickbot spam runs. pic.twitter.com/pU2MgBNJcE
— Microsoft Security Intelligence (@MsftSecIntel) May 19, 2020
Microsoft Cybersecurity: Coronavirus hacker
NetSupport Manager in itself is not a malicious file. It is indeed a legal remote access tool, that let’s access the system of a user by taking their permission. But even if the file is not malicious, the people behind it definitely are. This remote access tool is very common for being abused by attackers in order to gain control of the victim’s machine. Upon direct access the cybercriminals connect to a C&C server in order to send further commands from various attackers in the world.
We’re tracking a massive campaign that delivers the legitimate remote access tool NetSupport Manager using emails with attachments containing malicious Excel 4.0 macros. The COVID-19 themed campaign started on May 12 and has so far used several hundreds of unique attachments. pic.twitter.com/kwxOA0pfXH
— Microsoft Security Intelligence (@MsftSecIntel) May 18, 2020
The method of exploitation used here is a simple payload deployment. The Excel 4.0 macros, which seem to contain official information about something, has this URL, which leads you to download and launch this payload. Basically, you make it easier for the attacker to gain control over your system. Let us know what you think of this in the comments section below and we are proud to announce Sciencenews18 is now available on telegram, Do join it quickly!
Suryapratim Ray is an engineer, author, robotics hobbyist, and an active Quoran. Being a technical blogger, he covers the good, bad, and ugly of science on a regular basis at Sciencenews18. In addition to his passion for writing, he’s equally keen on learning classical music.