Microsoft alerts about a COVID-19 phishing attack in which malicious Excel attachments are being sent via email

Microsoft has cautioned its users about a COVID-19-themed phishing attack, in which hackers send malicious Excel attachments to people through emails to get remote access.

“We’re tracking a massive campaign that delivers the legitimate remote access tool NetSupport Manager using emails with attachments containing malicious Excel 4.0 macros,” Microsoft wrote on Twitter.

The company posted a number of tweets to explain how this campaign is being run.

Microsoft logo. Representational image.

Hackers send emails that pretend to be from Johns Hopkins Center with subject “WHO COVID-19 SITUATION REPORT”. These mails include Excel files that provide graphical representation of the coronavirus data. However, in reality, they contain malicious Excel 4.0 macros.

“The hundreds of unique Excel files in this campaign use highly obfuscated formulas, but all of them connect to the same URL to download the payload,” said the company.

NetSupport Manager is used by attackers to gain remote access and run commands on compromised machines.

Microsoft has informed that it has observed a steady increase in the use of malicious Excel 4.0 macros for several months. It added that last month these campaign started approaching people using COVID-19 themes.

“The NetSupport RAT used in this campaign further drops multiple components, including several .dll, .ini and other .exe files, a VBScript, and an obfuscated PowerSploit-based PowerShell script. It connects to a C2 server, allowing attackers to send further commands,” the OS maker said.

Microsoft in April published its monthly security patch for 113 vulnerabilities across 11 products, including three zero-day bugs.

CVE-2020-1020 was one of the three zero-day vulnerabilities in the Windows Adobe Type Manager Library which allowed attackers to run code on susceptible systems. The second zero-day bug was CVE-2020-0938, it let attackers carry out attacks remotely. CVE-2020-1027 was the third one and it was found in Windows kernel.