Microsoft Warns of COVID-19 Email Malware Scam

Microsoft and Sophos have warned users to watch out for emails which claim to offer statistics about the COVID-19 pandemic. They actually harbor a combination of malware and legitimate tools that could easily be abused by a hacker.

The emails in question have subject lines such as "Covid-19: [May 22] horrible Charts", claim to come from legitimate sources such as John Hopkins University, and have an attachment that's billed as a spreadsheet file with statistics about deaths and infections. (Source: twitter.com)

Malicious Macro

The attachment does indeed have an Excel file, but the problem is that it includes macros. These are a set of instructions for the computer to carry out a series of steps in a row. This can be a great time-saver in office software when used correctly, but can also automate malicious activity.

In this case the macro tells the computer to download and install a range of files, many of them malicious. Perhaps surprisingly they also include components of the entirely legitimate NetSupport Manager.

This lets somebody remotely access a computer. That's great when it's a technical expert helping a customer (or an ordinary user helping a friend or relative). It's no so great when it's a hacker looking to damage a computer, hunt for sensitive data, or simply use their access to make tech support scams more credible.

Remote Access Tool Disguised

One sign there's something amiss is that the components of NetSupport Manager are installed under the filename dwm.exe. Security company Sophos explains that's done so that if it shows up as a running process in Task Manager, it's likely to be confused with Desktop Window Manager. (Source: sophos.com)

The idea is that it's very credible that Desktop Window Manager would be running at any randomly chosen time, whereas users might be surprised to see remote access software running without them having authorized it.

Sophos notes that as well as the usual advice of not opening attachments on unsolicited emails, users should be very wary about enabling macros in an Office file. In particular, they should ignore any claim that doing so is necessary to display a file correctly.

It's also worth thinking about the wording of the scam email subject line. A legitimate or authoritative source would be unlikely to describe official statistics as "horrible" no matter how human that reaction might be.

What's Your Opinion?

Have you seen such an email? Have you ever dropped your security defences because of an emotional topic? Would it be worthwhile for email applications to warn users whenever they try to open an attachment?