Microsoft warns of "massive campaign" using COVID-19 themed emails

Microsoft warns of “massive campaign” using COVID-19 themed emails

Pierluigi Paganini May 22, 2020

Experts from the Microsoft Security Intelligence team provided some details on a new “massive campaign” using COVID-19 themed emails.

Researchers from the Microsoft Security Intelligence team provided some details on a new massive phishing campaign using COVID-19 themed emails.

The messages used weaponized Excel documents, the IT giant observed a spike in the number of malicious documents in malspam campaigns which use Excel 4.0 macros.

“For several months now, we’ve been seeing a steady increase in the use of malicious Excel 4.0 macros in malware campaigns. In April, these Excel 4.0 campaigns jumped on the bandwagon and started using COVID-19 themed lures.” states Microsoft in a Tweet.

The latest COVID-19 campaign began in April, the messages purport to be from the Johns Hopkins Center and use an Excel attachment. Once opened the attachment, it will show a graph of Coronavirus cases in the United States and trick the victims into enabling the macros to start the infection.

The macros drop a remote access tool (RAT) named NetSupport Manager, it is a legitimate application that is abused by attackers to take control over victim systems.

The emails purport to come from Johns Hopkins Center bearing "WHO COVID-19 SITUATION REPORT". The Excel files open w/ security warning & show a graph of supposed coronavirus cases in the US. If allowed to run, the malicious Excel 4.0 macro downloads & runs NetSupport Manager RAT. pic.twitter.com/gXbxZOGpZf
— Microsoft Threat Intelligence (@MsftSecIntel) May 18, 2020

“The hundreds of unique Excel files in this campaign use highly obfuscated formulas, but all of them connect to the same URL to download the payload. NetSupport Manager is known for being abused by attackers to gain remote access to and run commands on compromised machines.” continues Microsoft.

The NetSupport RAT employed in this COVID-19-themed campaign also drops multiple components, including several .dll, .ini, and other .exe files, a VBScript, and an obfuscated PowerSploit-based PowerShell script. Then it connects to a command and control server, allowing threat actors to send further commands.

Below the Indicators of Compromise (IoCs) shared by Microsoft:

Sample IoCs from this campaign: Excel attachments w/ malicious Excel 4.0 macros (SHA-256): 1ff9615577cc6cd702d847672a34260a72ba5a71f4b7dd5ebfd844d4835c68a7, 6b00e4c85ab9c2a0a724fc77177d5b55ff4369e5be068605a29fffe7173919f9. More in the COVID-19 intel feed: https://t.co/brFzZFiPoR
— Microsoft Threat Intelligence (@MsftSecIntel) May 18, 2020

Below a list or recommendations to avoid this threat:

Keep your anti-virus software up to date.
Search for existing signs of the threat using IoCs in your environment.
Keep applications and operating systems running and up to date.
Be vigilant with attachments and links in emails.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – COVID-19, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini June 24, 2025

The U.S. House banned WhatsApp on government devices due to security concerns

Pierluigi Paganini June 24, 2025