Scam emails use Excel spreadsheets containing Covid-19 data as a lure, then execute malicious macros that give attackers control over system
Microsoft has warned of a “massive” malware campaign that spreads via scam emails made to appear to have been sent by a major US health research institute.
The phishing campaign takes advantage of fears around Covid-19 and attempts to take control of users’ Windows systems, Microsoft said.
The pandemic-themed campaign began on 12 May and has used several hundred unique Excel attachments, making it more difficult to protect against.
Users receive a message claiming to have been sent by the Johns Hopkins Centre for Health Security, an independent organisation Johns Hopkins University in Baltimore, Maryland.
The university has become known for producing detailed maps charting Covid-19 cases.
The phishing email includes an Excel attachment containing pandemic data such as infection and death rates.
But the documents also prompt the user to allow macros to execute, and if allowed to do so the macros download and run a tool for gaining remote access to the system.
NetSupport Manager is a legitimate remote-access tool, but is often misused as a remote access Trojan (RAT) to gain illicit control over remote systems.
The tool downloads and installs further components on the system, including .dll, .ini and other executable files, a VBScript and an obfuscated PowerSploit-based PowerShell script, Microsoft said.
It also connects to a remote server, allowing attackers to issue further commands to the infected system.
“The hundreds of unique Excel files in this campaign use highly obfuscated formulas, but all of them connect to the same URL to download the payload,” Microsoft said on Twitter.
The company said it has seen a “steady increase” in malicious Excel 4.0 macros in phishing campaigns over the past several months.
“In April, these Excel 4.0 campaigns jumped on the bandwagon and started using Covid-19 themed lures,” the company stated.
Microsoft also warned of a campaign spreading the Trickbot malware that also uses the pandemic as a lure.
The campaign, which began last week, uses emails claiming to offer a “personal coronavirus check”, Microsoft said.
In April Google said it was blocking 18 million Covid-19-related scam emails per day, and more than 100 million per week.
Security experts advise users to be wary of emails sent from unknown senders.