Microsoft warns of Covid-19 phishing campaign as it open sources coronavirus threat intel

News by Andrew McCorkell

Software company warns of threat that installs the NetSupport Manager remote administration tool to take over a system and execute commands remotely.

A remote access trojan (RAT) is being used by cybercriminals to infect user devices via malicious Excel attachments, Microsoft has warned.

The number of coronavirus-related apps has risen on the Google Play store, according to reports, with malicious Android apps being used to hack devices by exploiting fears over the Covid-19 pandemic.

The Microsoft Security Intelligence team used a series of tweets to explain how Excel files used in the phishing campaign all lead to one URL.

“The hundreds of unique Excel files in this campaign use highly obfuscated formulas, but all of them connect to the same URL to download the payload,” it said.

“NetSupport Manager is known for being abused by attackers to gain remote access to and run commands on compromised machines.”

The attack begins with potential victims receiving an email that impersonates the John Hopkins Center. 

Microsoft has open-sourced its Covid-19 threat intelligence, sharing information to build a more complete view of hackers' techniques.

Speaking to SC Magazine, Jake Moore, cybersecurity specialist at ESET said: “The most effective phishing attacks play with emotions and purport to come from well-known brands.

"However, when coupled with the desperate need for the latest information around COVID-19, it makes most people forget all they’ve learnt before in training and makes the attack that much harder to resist.”

Remote attacks are inevitably going to be on the increase as more people access their office networks remotely, Moore said.

“As the UK workforce went home, large numbers of people have fired up their own, and no doubt old, devices to work from. This increases the chances of attacks without the proper security checks in place, but coupled with authentic-looking emails with a genuine reason to use remote software, it becomes a plausible con.

“Moreover, it would seem many people have relaxed their barrier to phishing scams amid the desperation to find the latest COVID-19 news, so when scammers use names like John Hopkins University, this seems to be working better than the classic Netflix or HMRC scams.”

Jamie Akhtar, CEO and co-founder of CyberSmart said that phishing attacks have increased six-fold since February.

“We are seeing an enormous spike in phishing campaigns, fake websites and social profiles that are deliberately impersonating COVID-19 and healthcare-related authorities as hackers exploit the unprepared public. Many of these phishing emails can be extremely convincing.”

Tarik Saleh, senior security engineer and malware researcher at DomainTools said this kind of attack is “definitely concerning” but not surprising.

Saleh said: “Cybercriminals are constantly looking for new and inventive ways to get around the increasingly complex defences deployed by enterprises, and by moderating a traditional phishing scam – hugely successful in their own right – to bypass multi-factor authentication, they have provided themselves with a template for cybercrime success."

The phishing campaign is “bringing all the latest hits together” according to Roger Grimes from KnowBe4.

He said: "It’s relying on the recent strong disagreements and pushback on the “real” Covid-19 numbers highlighted in the news to spark potential victim interest in opening the email and malicious XLS attachment. It uses embedded macros to download a legitimate remote control program and obfuscated PowerShell scripts…thus not setting off all antivirus software.

“Then, it drops data and password-stealing trojans. All that it’s missing is ransomware, and it probably has that, too. Luckily, all we have to do is to educate our end users on the dangers of opening any document that then requests that the macros or active content be allowed to run."

Cybersecurity expert Robert Ramsden-Board, VP EMEA of Securonix identified three clear trends in Covid-19 related phishing attempts:

  • Wave 1: Focused on coronavirus, the symptoms, and how to self-diagnose.
  • Wave 2: Tailored towards the cure/vaccine, disease progress tracking, and tips to engage kids at home.
  • Wave 3: Focused on stimulus checks and impersonation emails with subjects focused on reduction in force, layoff forecasts, and end of work from home/reopen.

Ramsden-Board said: “It should not be a surprise to security teams that attackers are tuned in to the latest news, and craft emails with topical subjects to compel victims to open them.

"In the last couple of weeks, we have observed a surge in the number of new domains registered that are themed around corona/Covid-19 stimulus or financial recovery, that are being used to maliciously target people."

He added that Securonix research has also revealed an email campaign with Google Drive or One Drive links in an attachment or the body of the email in order to evade existing email security solutions.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews