NetSupport RAT spread through Fake Coronavirus Report Emails
A recent phishing campaign has been found spreading NetSupport Manager remote access tool, which is a legitimate tool used for troubleshooting and tech support. Hackers use the ongoing coronavirus pandemic to trick victims into executing the RAT. Microsoft’s security intelligence team stated that the ongoing campaign started on May 12 and has uses several hundred unique malicious Excel 4.0 attachments.
The unique Excel files in this campaign use highly obfuscated formulas, but all of them connect to the same URL to download the payload. Researchers have been seeing a steady increase in the use of malicious Excel 4.0 macros in malware campaigns. In April, these Excel 4.0 campaigns jumped on the bandwagon and started using COVID-19 themed lures. The phishing emails pretends to come from the Johns Hopkins Center, which researches epidemics and disasters. The emails are titled WHO COVID-19 SITUATION REPORT and claim to give an update on the confirmed cases and deaths related to the ongoing pandemic in the U.S.. The attached malicious Excel 4.0 document opens with a security warning and shows a graph of supposed coronavirus cases in the U.S. If a victim enables it, the macro is downloaded and the NetSupport Manager RAT is executed.
Although NetSupport Manager is a legitimate tool, it is known for being used by hackers to gain remote access to and run commands on compromised machines. Earlier this year, Palo Alto Networks' Unit 42 division spotted a spam campaign attempting to deliver a malicious Microsoft Word document that dropped the weaponized RAT. The NetSupport RAT used in this campaign drops multiple components, including several .dll, .ini, and other .exe files, a VBScript, and an obfuscated PowerSploit-based PowerShell script. It connects to a C2 server, allowing hackers to send further commands.