Categories: SecurityWorkspace

Microsoft Uncovers ‘Massive’ Pandemic-Themed Phishing Campaign

Microsoft has warned of a “massive” malware campaign that spreads via scam emails made to appear to have been sent by a major US health research institute.

The phishing campaign takes advantage of fears around Covid-19 and attempts to take control of users’ Windows systems, Microsoft said.

The pandemic-themed campaign began on 12 May and has used several hundred unique Excel attachments, making it more difficult to protect against.

Users receive a message claiming to have been sent by the Johns Hopkins Centre for Health Security, an independent organisation Johns Hopkins University in Baltimore, Maryland.

Image credit: Microsoft

Remote access

The university has become known for producing detailed maps charting Covid-19 cases.

The phishing email includes an Excel attachment containing pandemic data such as infection and death rates.

But the documents also prompt the user to allow macros to execute, and if allowed to do so the macros download and run a tool for gaining remote access to the system.

NetSupport Manager is a legitimate remote-access tool, but is often misused as a remote access Trojan (RAT) to gain illicit control over remote systems.

The tool downloads and installs further components on the system, including .dll, .ini and other executable files, a VBScript and an obfuscated PowerSploit-based PowerShell script, Microsoft said.

It also connects to a remote server, allowing attackers to issue further commands to the infected system.

Obfuscation

“The hundreds of unique Excel files in this campaign use highly obfuscated formulas, but all of them connect to the same URL to download the payload,” Microsoft said on Twitter.

The company said it has seen a “steady increase” in malicious Excel 4.0 macros in phishing campaigns over the past several months.

“In April, these Excel 4.0 campaigns jumped on the bandwagon and started using Covid-19 themed lures,” the company stated.

Microsoft also warned of a campaign spreading the Trickbot malware that also uses the pandemic as a lure.

The campaign, which began last week, uses emails claiming to offer a “personal coronavirus check”, Microsoft said.

In April Google said it was blocking 18 million Covid-19-related scam emails per day, and more than 100 million per week.

Security experts advise users to be wary of emails sent from unknown senders.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

6 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

9 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

10 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

11 hours ago