As pandemic continues, cyber criminals are thriving on confusion and concern.
Cyber criminals love this pandemic. They continue making money at our expense.
This particular attack has gotten so bad that Microsoft issued a warning to users. In this widespread Phishing campaign, attackers send legitimate-looking emails referencing COVID-19 (see more here) to trick users into opening an attachment.
The emails claim to originate from The Johns Hopkins Center with titles like "WHO COVID-19 SITUATION REPORT."
The attached spreadsheet includes statistics about Coronavirus cases. While it looks like real data, this file secretly contains a hacker payload in the form of malicious macros.
We’re tracking a massive campaign that delivers the legitimate remote access tool NetSupport Manager using emails with attachments containing malicious Excel 4.0 macros. -Microsoft Security Intelligence
So what does this mean?
Hackers included malicious Excel macros that launch NetSupport Manager under their control. To be sure, NetSupport is a legitimate tool for remote desktop control. The problem is that it can be badly abused by hackers. (also like this)
The NetSupport RAT (Remote Access Tool) connects to a C2 server to administer more commands.
Once in control of the NetSupport desktop application, attackers can launch any form of attack they desire: including installing keyloggers, exfiltrating data and ransoming the network.
This is a very 'smart' attack, but it's important to not get stuck on the complexity of the payload. As with nearly every attack, this all starts with well-crafted Phishing emails. Even if you keep your macros blocked by default, it's all too easy to allow them when prompted.
The unfortunate reality is that attackers will continue targeting your employees with crafty Phishing emails.
Are you ready to take action?
Start with booking quick call to learn how INFIMA's Automated Security Awareness platform easily instructs and tests your team.
To get a quote, set up a call with our (non-pushy) team here!
Join the newsletter to receive the latest updates in your inbox.