Categories: SecurityWorkspace

Microsoft Uncovers ‘Massive’ Pandemic-Themed Phishing Campaign

Microsoft has warned of a “massive” malware campaign that spreads via scam emails made to appear to have been sent by a major US health research institute.

The phishing campaign takes advantage of fears around Covid-19 and attempts to take control of users’ Windows systems, Microsoft said.

The pandemic-themed campaign began on 12 May and has used several hundred unique Excel attachments, making it more difficult to protect against.

Users receive a message claiming to have been sent by the Johns Hopkins Centre for Health Security, an independent organisation Johns Hopkins University in Baltimore, Maryland.

Image credit: Microsoft

Remote access

The university has become known for producing detailed maps charting Covid-19 cases.

The phishing email includes an Excel attachment containing pandemic data such as infection and death rates.

But the documents also prompt the user to allow macros to execute, and if allowed to do so the macros download and run a tool for gaining remote access to the system.

NetSupport Manager is a legitimate remote-access tool, but is often misused as a remote access Trojan (RAT) to gain illicit control over remote systems.

The tool downloads and installs further components on the system, including .dll, .ini and other executable files, a VBScript and an obfuscated PowerSploit-based PowerShell script, Microsoft said.

It also connects to a remote server, allowing attackers to issue further commands to the infected system.


“The hundreds of unique Excel files in this campaign use highly obfuscated formulas, but all of them connect to the same URL to download the payload,” Microsoft said on Twitter.

The company said it has seen a “steady increase” in malicious Excel 4.0 macros in phishing campaigns over the past several months.

“In April, these Excel 4.0 campaigns jumped on the bandwagon and started using Covid-19 themed lures,” the company stated.

Microsoft also warned of a campaign spreading the Trickbot malware that also uses the pandemic as a lure.

The campaign, which began last week, uses emails claiming to offer a “personal coronavirus check”, Microsoft said.

In April Google said it was blocking 18 million Covid-19-related scam emails per day, and more than 100 million per week.

Security experts advise users to be wary of emails sent from unknown senders.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Coronavirus: Apple Closes More Stores In US

As Coronavirus infections rise in the United States, Apple continues to close down more of…

34 mins ago

The Shape Of IT In A Post COVID-19 World

Global IT spend is projected to contract 8% in 2020, according to Gartner. Gartner expects…

56 mins ago

Advocacy Groups Warn Against Google’s Fitbit Acquisition

Twenty advocacy groups from around the world warn that Google's acquisition of Fitbit risks damaging…

2 hours ago

Google Buys North Smart Glasses, Closes Down Product

Canadian smart glasses maker North acquired by Google, which then immediately kills the next version…

3 hours ago

Twitter Removes Trump Tweet After Copyright Complaint

Twitter continues to challenge tweets from US President Donald Trump, with takedown of tweet due…

4 hours ago

The State of LawTech

What is the current state of LawTech? LawtechUK, will this year, pilot a government-backed LawTech…

1 day ago