image
A recent spear-phishing campaign has been spotted spreading a weaponized NetSupport Manager remote access tool (RAT), which is a legitimate tool used for troubleshooting and tech support. Attackers use the ongoing coronavirus pandemic as a lure, as well as malicious Excel documents, to convince victims to execute the RAT. Researchers with Microsoft’s security intelligence team said this week that that the ongoing campaign started on May 12 and has used several hundred unique malicious Excel 4.0 attachments thus far – a trend that researchers said they’ve seen steadily increase over the past month. “The hundreds of unique Excel files in this campaign use highly obfuscated formulas, but all of them connect to the same URL to download the payload,” said the researchers in a series of tweets. “For several months now, we’ve been seeing a steady increase in the use of malicious Excel 4.0 macros in malware campaigns. In April, these Excel 4.0 campaigns jumped on the bandwagon and started using COVID-19 themed lures.” The spear-phishing emails purport to come from the Johns Hopkins Center, which researches epidemics and disasters in order to “ensure that communities are resilient to major challenges,” according to its website. The emails are titled “WHO COVID-19 SITUATION REPORT” and claim to give an update on the confirmed cases and deaths related to the ongoing pandemic in the U.S. The attached malicious Excel 4.0 document (which is titled “covid_usa_nyt_8702.xls” in the sample…

Source