Microsoft warns Windows 10 users to look out for new threat attacking PCs
May 25, 2020 10:05 am
Windows 10 users need to be aware of a new threat which can let hackers completely take over their machines and execute commands remotely.
This week Microsoft issued a warning about the ongoing and “massive” phishing campaign which tries to take advantage of people’s concerns over the coronavirus. The scam begins with an email being sent claiming to offer an important update on COVID-19, and the message features an Excel document attached.
This file is included in a message allegedly from the John Hopkins Center, and when opened it does display a graph showing details on coronavirus cases and deaths.
But despite this legitimate looking diagram, the document also contains malicious macros that are executed when the user is prompted to ‘Enable Content’.
As reported on in a post by Bleeping Computer, once this is clicked the NetSupport Manager remote administration tool is installed.
This commonly distributed hacking tool is a trojan that gives a threat actor remote access to an infected machine.
Discussing the threat, the Microsoft Security Intelligence team’s Twitter posted: “The hundreds of unique Excel files in this campaign use highly obfuscated formulas, but all of them connect to the same URL to download the payload.
“NetSupport Manager is known for being abused by attackers to gain remote access to and run commands on compromised machines”.
The RAT is also capable of compromising a victim’s Windows 10 machine even further by installing other malicious tools and scripts.
The Microsoft Security Intelligence Twitter added: “The NetSupport RAT used in this campaign further drops multiple components, including several .dll, .ini, and other .exe files, a VBScript, and an obfuscated PowerSploit-based PowerShell script. It connects to a C2 server, allowing attackers to send further commands”.
If you have already fallen victim to this campaign then you should assume your data has been compromised and that a malicious party has tried to steal your passwords.
Make sure you clean the infected device and change all passwords on your machine as well as those belonging to other computers on your network.
Speaking about the threat Jake Moore, the Cybersecurity Specialist at ESET, said: “Remote attacks are inevitably going to be on the increase as more people access their office networks remotely.
“As the UK workforce went home, large numbers of people have fired up their own, and no doubt old, devices to work from.
“This increases the chances of attacks without the proper security checks in place, but coupled with authentic-looking emails with a genuine reason to use remote software, it becomes a plausible con.
“Moreover, it would seem many people have relaxed their barrier to phishing scams amid the desperation to find the latest COVID-19 news, so when scammers use names like John Hopkins University, this seems to be working better than the classic Netflix or HMRC scams.”