Two new massive COVID-19 phishing campaigns identified

Microsoft has announced the identification of two new large-scale phishing campaigns that entice the end user to install remote access tools onto their PCs. The campaign started on May 12th, and has used hundreds of unique attachments. These attachments have primarily contained Excel 4.0 macros to download and run NetSupport Managed, a legitimate remote access tool.

The emails have claimed to come from the John Hopkins Center with titles like “WHO COVID-19 SITUATION REPORT”. When opened, a graph of US cases appears and a security warning requesting permission to run the embedded macros.

Once NetSupport Manager is installed, it is reaching out and connecting to command-and-control (C&C) servers where attackers can remotely execute commands on compromised machines.

Additionally, a new TrickBot campaign launched on May 18th also using a COVID-19 theme. These emails claim to offer a “personal coronavirus check”, which is a variation of the previously seen “free COVID-19 tests” used in TrickBot spam campaigns.

To date, TrickBot has been one of the most common payloads in COVID-19 themed campaigns.

TrickBot is a banking trojan that targets sensitive user information and can act as a dropper for other malware. There is a common relationship between TrickBot infections that then lead to Ryuk ransomware attacks.

Administrators are reminded that user awareness training is an important aspect of an organization’s security program and users should never interact with unknown and unexpected attachments, especially from unknown senders.