COVID-19 Phishing Email Drops NetSupport RAT

Summary

COVID-19 phishing emails continue, this time installing a trojanized NetSupport Manager remote administration tool. Claiming to be from the Johns Hopkins Center, the email contains an attached document detailing the number of COVID-19 related deaths in the US. If macros are enabled, the NetSupport Manager client will be downloaded and installed from a remote site. NetSupport Manager is a legitimate tool used by administrators to gain remote access to client computers, though the tool has been weaponized by threat actors to serve as a remote access trojan (RAT). Once installed, the threat actor gains control of the device and is able to remotely execute commands. Additionally observed in this massive campaign, the NetSupport RAT further drops various malicious files, an obfuscated PowerSploit-based script, and connects to a command and control server, allowing the threat actor to send additional commands and enabling future attacks. Researchers assess that lateral movement within the network may be possible.

Recommendations

The NJCCIC recommends victims remove any infected devices from the network immediately upon discovery and scan other possible infected devices on the network. Additionally, we urge victims to change passwords once the device has been cleaned and enable multi-factor authentication where available. Additional information can be found in the Bleeping Computer article.