Security News > 2020 > May > ‘Coronavirus Report’ Emails Spread NetSupport RAT, Microsoft Warns

Attackers use the ongoing coronavirus pandemic as a lure, as well as malicious Excel documents, to convince victims to execute the RAT. Researchers with Microsoft's security intelligence team said this week that that the ongoing campaign started on May 12 and has used several hundred unique malicious Excel 4.0 attachments thus far - a trend that researchers said they've seen steadily increase over the past month.

The emails are titled "WHO COVID-19 SITUATION REPORT" and claim to give an update on the confirmed cases and deaths related to the ongoing pandemic in the U.S. The attached malicious Excel 4.0 document opens with a security warning and shows a graph of supposed coronavirus cases in the U.S. If a victim enables it, the macro is downloaded and the NetSupport Manager RAT is executed.

The Excel files open w/ security warning & show a graph of supposed coronavirus cases in the US. If allowed to run, the malicious Excel 4.0 macro downloads & runs NetSupport Manager RAT. pic.

Earlier this year Palo Alto Networks' Unit 42 division spotted a spam campaign attempting to deliver a malicious Microsoft Word document - using the disguise of a NortonLifeLock-protected file - that dropped the weaponized RAT. "The NetSupport RAT used in this campaign further drops multiple components, including several.dll,.ini, and other.exe files, a VBScript, and an obfuscated PowerSploit-based PowerShell script," said researchers.

In a separate campaign also reported this week by Microsoft's security team, emails on May 18 purporting to offer a "Free COVID-19 test" actually spread the Trickbot trojan.

News URL

https://threatpost.com/coronavirus-emails-netsupport-rat-microsoft/156026/