Windows 10 News and info | Forum
June 04, 2020, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: Microsoft warns of 'massive' phishing attack pushing legit RAT  (Read 27 times)
Hero Member
Offline Offline

Gender: Male
United States United States

Posts: 31452

I Do Windows

WWW Email
« on: May 21, 2020, 10:17:26 PM »

Microsoft is warning of an ongoing COVID-19 themed phishing campaign that installs the NetSupport Manager remote administration tool.

In a series of tweets, the Microsoft Security Intelligence team outlines how this "massive campaign" is spreading the tool via malicious Excel attachments.

The attack starts with emails pretending to be from the Johns Hopkins Center, which is sending an update on the number of Coronavirus-related deaths there are in the United States.

Malicious COVID-19 themed email

Attached to this email is an Excel file titled 'covid_usa_nyt_8072.xls', that when opened, displays a chart showing the number of deaths in the USA based on data from the New York Times.

Malicious Excel document

As this document contains malicious macros, it will prompt the user to 'Enable Content'. Once clicked, malicious macros will be executed to download and install the NetSupport Manager client from a remote site.

"The hundreds of unique Excel files in this campaign use highly obfuscated formulas, but all of them connect to the same URL to download the payload. NetSupport Manager is known for being abused by attackers to gain remote access to and run commands on compromised machines," Microsoft tweeted.

The NetSupport Manager is a legitimate remote administration tool commonly distributed among the hacker communities to use as a remote access trojan.

When installed, it allows a threat actor to gain complete control over the infected machine and execute commands on it remotely.

In this particular attack, the NetSupport Manager client will be saved as the dwm.exe file under a random %AppData% folder and launched.

As the remote administration tool is masquerading as the legitimate Desktop Windows Manager executable, it may not be noticed as unusual by users viewing Task Manager.

Netsupport Manager running as DWM.exe

After some time, the NetSupport Manager RAT will be used to further compromise the victim's computer by installing other tools and scripts.

"The NetSupport RAT used in this campaign further drops multiple components, including several .dll, .ini, and other .exe files, a VBScript, and an obfuscated PowerSploit-based PowerShell script. It connects to a C2 server, allowing attackers to send further commands," Microsoft explained.

Anyone who was affected by this phishing campaign should operate under the assumption that their data has been compromised and that the threat actor attempted to steal their passwords.

It is also possible that the threat actor used the infected machine to spread laterally throughout the network.

After cleaning the infected device, passwords should be changed, and the rest of the computers on the network should be investigated for infections.


Pages: [1]
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page May 23, 2020, 03:15:05 AM