Security News > 2020 > May > ‘Coronavirus Report’ Emails Spread NetSupport RAT, Microsoft Warns
Attackers use the ongoing coronavirus pandemic as a lure, as well as malicious Excel documents, to convince victims to execute the RAT. Researchers with Microsoft's security intelligence team said this week that that the ongoing campaign started on May 12 and has used several hundred unique malicious Excel 4.0 attachments thus far - a trend that researchers said they've seen steadily increase over the past month.
The emails are titled "WHO COVID-19 SITUATION REPORT" and claim to give an update on the confirmed cases and deaths related to the ongoing pandemic in the U.S. The attached malicious Excel 4.0 document opens with a security warning and shows a graph of supposed coronavirus cases in the U.S. If a victim enables it, the macro is downloaded and the NetSupport Manager RAT is executed.
The Excel files open w/ security warning & show a graph of supposed coronavirus cases in the US. If allowed to run, the malicious Excel 4.0 macro downloads & runs NetSupport Manager RAT. pic.
Earlier this year Palo Alto Networks' Unit 42 division spotted a spam campaign attempting to deliver a malicious Microsoft Word document - using the disguise of a NortonLifeLock-protected file - that dropped the weaponized RAT. "The NetSupport RAT used in this campaign further drops multiple components, including several.dll,.ini, and other.exe files, a VBScript, and an obfuscated PowerSploit-based PowerShell script," said researchers.
In a separate campaign also reported this week by Microsoft's security team, emails on May 18 purporting to offer a "Free COVID-19 test" actually spread the Trickbot trojan.
News URL
https://threatpost.com/coronavirus-emails-netsupport-rat-microsoft/156026/
Related news
- Microsoft Exchange adds warning to emails abusing spoofing flaw (source)
- Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails (source)
- Microsoft 365 Admin portal abused to send sextortion emails (source)
- Horns&Hooves Campaign Delivers RATs via Fake Emails and JavaScript Payloads (source)
- Microsoft dangles $10K for hackers to hijack LLM email service (source)