Tech giant Microsoft has warned of a major new phishing threat using legitimate tools built into Microsoft Excel to target unsuspecting victims.
The software installs a NetSupport Manager remote administration tool (RAT) into a user’s device, allowing the hacker to gain remote access.
In a series of tweets, Microsoft’s Security Intelligence Team said the phishing campaign involves cybercriminals spreading malware through several malicious Excel attachments included in phishing emails that pretend to be from the Johns Hopkins Centre.
The email, relating to the number of deaths from Covid-19 in the US, contains a file prompting users to ‘Enable Content’. Once enabled, the macros download and install the NetSupport Manager client from a remote site.
In the Tweets, the centre explained: “The emails purport to come from Johns Hopkins Centre bearing ‘WHO COVID-19 SITUATION REPORT.’
“The Excel files open w/ security warning and show a graph of supposed coronavirus cases in the US. If allowed to run, the malicious Excel 4.0 macro downloads & runs NetSupport Manager RAT.
“For several months now, we’ve been seeing a steady increase in the use of malicious Excel 4.0 macros in malware campaigns. In April, these Excel 4.0 campaigns jumped on the bandwagon and started using COVID-19 themed lures.”
Phishing attacks have become an increasingly common way to target vulnerable users. A simple email is an easy way to deceive unsuspecting recipient, particularly during Covid-19 when people are looking for information surrounding the virus.
Last week (12th May), it was reported that coronavirus related cyber-attacks increased by 30% in the two previous weeks.
Check Point’s Manager of Data Research, Omer Dembinsky, commented: “We have noticed a change in criminals’ tactics over the last three weeks. Hackers have gone into over-drive to take advantage of the coronavirus pandemic.
“If you unpack these latest cyber-attacks, the theme of impersonation is a clear and strong one, especially using the WHO, the UN and Zoom as a cover for phishing.
“For example, the number of Zoom-like domain registrations in the past three weeks alone is staggering. More than ever, it is important to beware of lookalike domains and to be extra cautious of unknown email senders.”
Users have been advised to ignore random emails and verify suspicious email addresses before downloading the included attachments.
It has also been suggested that users change passwords and investigate signs of infection on the network.
- How to Protect Your Business from Phishing and Whaling Scams
- Surge in Scammers Using reCaptcha Walls to Increase Phishing Attacks
- Hackers Increasingly Turn to AI to Super Boost Phishing Scams
Commenting on this latest phishing attack, Senior Security Engineer and Malware Researcher at DomainTools, Tarik Saleh, told Teiss: “this kind of attack is concerning, but not surprising.
“Cybercriminals are constantly looking for new and inventive ways to get around the increasingly complex defences deployed by enterprises, and by moderating a traditional phishing scam – hugely successful in their own right – to bypass multi-factor authentication, they have provided themselves with a template for cybercrime success.
“The advice for organisations and employees is to remain vigilant to this new kind of threat and to deploy training as regularly as possible to make sure individuals remain aware. Phishing is at its core an attack on people, and people remain the best defence against it, in addition to ensuring proper processes remain in place,” he added.