HomesecurityMicrosoft: Hackers use legal RAT in phishing campaign

Microsoft: Hackers use legal RAT in phishing campaign


Microsoft warns about one phishing campaign on him COVID-19, which is currently in progress and is installing it tool Remote Management NetSupport Manager.

Η team Microsoft Security Intelligence describes how this "mass campaign" spreads the tool via maliciously attached Excel documents.

The attack starts with me Phishing emails who say they come from Johns Hopkins Center, which sends an update about him number of deaths in the United States, related to him COVID-19.

There is one in this phishing email Excel file entitled «Covid_usa_nyt_8072.xls», which when opened, displays a graph showing the number of deaths in USA, based on data from them New York Times.


The document contains malicious macros and asks the user to do "Enable Content". If the user clicks, they will be executed malicious macros to download and install the NetSupport Manager client from a remote website.

"The hundreds of unique Excel files in this phishing campaign use extremely obfuscated formulas, but they all point to the same URL and download the payload. NetSupport Manager is often used by hackers to gain remote access and execute commands on infringers computers", Microsoft said in a tweet.

NetSupport Manager is one remote remote legal tool. However, hackers use it as remote access trojan.

When installed, it allows one hacker to acquire him complete control of the infected machine and execute commands remotely.

In this particular attack, the NetSupport Manager client will be saved as dwm.exe file under a random% AppData% folder and it will start.

As the remote management tool appears to be legal, something unusual may not be noticed by them. users.

After some time, the NetSupport Manager RAT will be used to further compromise the victim's computer by installing other tools and scripts.

Anyone affected by this phishing campaign should react as they respond to violations. data and in the theft of passwords.

It is also possible that the attackers are using the infected machine to spread across the network.

After "cleaning" the infected device, the codes access the rest of the computers on the network will have to be changed and they will need to be investigated for possible infections.

Digital fortress
Pursue Your Dreams & Live!