Microsoft has warned about a massive phishing attack that started on May 12. The campaign sends emails that look like they are from the “Johns Hopkins Center”, and they have an Excel attachment that claims to be US deaths caused by the Coronavirus.
If your user opens that infected “Excel doc”, the file downloads a macro and runs the NetSupport Manager Remote Admin Tool. This is actually a legit remote support product, but it can also be used for criminal purposes, specifically to download malware on a targeted device. When installed, it allows the bad guys to gain complete control over the infected machine and execute commands on it remotely.
In a series of tweets, the Microsoft Security Intelligence team outlines how this massive campaign is spreading this tool. The Excel document contains malicious macros, and will prompt the user to ‘Enable Content’. Once clicked, the macros will be executed to download and install the NetSupport Manager client from a remote site.
“The hundreds of unique Excel files in this campaign use highly obfuscated formulas, but all of them connect to the same URL to download the payload. NetSupport Manager is known for being abused by attackers to gain remote access to and run commands on compromised machines, Microsoft tweeted.
Short Technical Background
In this particular attack, the NetSupport Manager client is masquerading as the legitimate Desktop Windows Manager and executable will be saved as the dwm.exe file under a random %AppData% folder and launched. The bad guys will use the NetSupport Manager RAT to further compromise the user’s machine by installing other malicious tools and scripts.
the NetSupport RAT used in this campaign further drops multiple components, including several .dll, .ini, and other .exe files, a VBScript, and an obfuscated PowerSploit-based PowerShell script. It connects to a C2 server, allowing attackers to send further commands,” Microsoft explained.
Educate your employees with Security Awareness Training – they need to be taught about targetted phishing attacks – regardless of whether this is via emails regarding fake domains or whether the theme is tax or flight refunds, COVID-19, an outstanding invoice, a package delivery, or any of a myriad of other stories told as above.
Request A Demo: Security Awareness Training
New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn’t a one and done deal, continuous training and simulated phishing are both needed to mobilise users as your last line of defence. Request your one-on-one demo of KnowBe4’s security awareness training and simulated phishing platform and see how easy it can be!
PS: Don’t like to click on redirected buttons? Cut & Paste this link in your browser: https://info.knowbe4.com/one-on-one-demo-partners?partnerid=001a000001lWEoJAAW