Massive Phishing Campaign Distributing Legitimate Remote Admin Tool as RAT

A phishing campaign has been detected that exploits the COVID-19 pandemic to spread a legitimate remote administration tool which is being used as a remote access Trojan. If installed, the attacker will have full control of an infected device.

The “massive campaign” was detected by the Microsoft Security Intelligence team, which intercepted emails using malicious Excel spreadsheets to install the NetSupport Manager remote administration tool. The emails appear to have been sent from the Johns Hopkins Center with the spreadsheet claiming to provide a daily update on deaths in the United States from COVID-19.

The subject line of the emails is “Covid-19. May 12 horrible Charts”, with the body of the email stating, “EPI UPDATE The WHO COVID-19 Situation Report for May 12 reported 4,294,691 confirmed COVID-19 cases (80,617 new) and 288,531 deaths. See included Horrible graphs by United States.”

The spreadsheet attached to the email is named “covid_usa_nyt_8072.xls. If the spreadsheet is opened, the user will see data from the New York Times on COVID-19 deaths and the user will be prompted to enable content. If content is enabled, a malicious macro will run that downloads the NetSupport Manager client (dwm.exe).

Microsoft reports that hundreds of unique Excel spreadsheets have been used in this campaign, all of which link to the same malicious URL and download NetSupport Manager.

Once installed, NetSupport Manager will give the attacker full control of the device and will allow commands to be run and further malicious files to be downloaded.

“The NetSupport RAT used in this campaign further drops multiple components, including several .dll, .ini, and other .exe files, a VBScript, and an obfuscated PowerSploit-based PowerShell script. It connects to a C2 server, allowing attackers to send further commands,” explained Microsoft in a series of Tweets about the phishing campaign.

Once a machine is compromised, the attackers will likely attempt to steal passwords and other sensitive data and move laterally and compromise other devices on the network.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of