Attackers used malicious Excel 4.0 documents to spread the weaponized NetSupport RAT in a spear-phishing campaign.
A recent spear-phishing campaign has been spotted spreading a weaponized NetSupport Manager remote access tool (RAT), which is a legitimate tool used for troubleshooting and tech support. Attackers use the ongoing coronavirus pandemic as a lure, as well as malicious Excel documents, to convince victims to execute the RAT.
Researchers with Microsoft’s security intelligence team said this week that that the ongoing campaign started on May 12 and has used several hundred unique malicious Excel 4.0 attachments thus far – a trend that researchers said they’ve seen steadily increase over the past month.
“The hundreds of unique Excel files in this campaign use highly obfuscated formulas, but all of them connect to the same URL to download the payload,” said the researchers in a series of tweets. “For several months now, we’ve been seeing a steady increase in the use of malicious Excel 4.0 macros in malware campaigns. In April, these Excel 4.0 campaigns jumped on the bandwagon and started using COVID-19 themed lures.”
The spear-phishing emails purport to come from the Johns Hopkins Center, which researches epidemics and disasters in order to “ensure that communities are resilient to major challenges,” according to its website. The emails are titled “WHO COVID-19 SITUATION REPORT” and claim to give an update on the confirmed cases and deaths related to the ongoing pandemic in the U.S.
The attached malicious Excel 4.0 document (which is titled “covid_usa_nyt_8702.xls” in the sample email) opens with a security warning and shows a graph of supposed coronavirus cases in the U.S. If a victim enables it, the macro is downloaded and the NetSupport Manager RAT is executed.
The emails purport to come from Johns Hopkins Center bearing "WHO COVID-19 SITUATION REPORT". The Excel files open w/ security warning & show a graph of supposed coronavirus cases in the US. If allowed to run, the malicious Excel 4.0 macro downloads & runs NetSupport Manager RAT. pic.twitter.com/gXbxZOGpZf
— Microsoft Security Intelligence (@MsftSecIntel) May 18, 2020
Researchers said that although NetSupport Manager is a legitimate tool, it is known for being abused by attackers to gain remote access to and run commands on compromised machines. For instance, earlier this year Palo Alto Networks’ Unit 42 division spotted a spam campaign attempting to deliver a malicious Microsoft Word document – using the disguise of a NortonLifeLock-protected file – that dropped the weaponized RAT.
“The NetSupport RAT used in this campaign further drops multiple components, including several .dll, .ini, and other .exe files, a VBScript, and an obfuscated PowerSploit-based PowerShell script,” said researchers. “It connects to a C2 server, allowing attackers to send further commands.”
Researchers also listed out the indicators of compromise (IoCs) for the campaign, in a tweet.
The coronavirus lure is being utilized by bad actors daily to convince unwitting victims to open malicious documents, click on suspicious links or hand over their credentials. In a separate campaign also reported this week by Microsoft’s security team, emails on May 18 purporting to offer a “free COVID-19 test” actually spread the Trickbot trojan.
“Trickbot remains to be one of the most common payloads in COVID-19 themed campaigns,” said researchers. “In this new campaign, the attachment is a typical Excel file with a malicious macro code that, when enabled, drops a VBScript with malicious code hidden in its Alternate Data Stream (ADS). The VBScript connects to a C2 server to download the Trickbot payload.”