Microsoft’s Security Intelligence team has warned that it has been tracking a “massive” phishing campaign that attempts to install a remote access tool onto PCs by tricking users into opening email attachments containing malicious Excel 4.0 macros.
Microsoft said the COVID-19 themed campaign started on May 12, and has so far used several hundreds of unique attachments.
The emails being sent out claim to come from the Johns Hopkins Center bearing the title “WHO COVID-19 SITUATION REPORT.” If the recipient attempts to open the attached Excel files it will open with a security warning, and show a graph of supposed coronavirus cases in the US. But if allowed to run, the malicious Excel 4.0 macro also downloads and runs NetSupport Manager.
While NetSupport Manager is a legitimate remote access tool, it’s known for being abused by attackers to gain remote access to – and run commands on – compromised machines, Microsoft said.
“For several months now, we’ve been seeing a steady increase in the use of malicious Excel 4.0 macros in malware campaigns. In April, these Excel 4.0 campaigns jumped on the bandwagon and started using COVID-19 themed lures,” Microsoft’s Security Intelligence team said.