COVID-19 + Excel Attachment = Lost Data

The latest warning from Microsoft unveils a widespread attack that attempts to download a remote access Trojan (RAT) onto infected machines. So what’s new about that? Nothing really, except for the way the criminals have organized the attack.

To no one’s surprise, the attack begins with a phishing email. At this stage, these emails don’t seem to have specific targets in mind as they are apparently distributed through bots/botnets. That said, keep in mind that this could be upgraded into a spearphishing attack wherein key people in enterprises may be targeted. For now, just be aware of any email that evades your spam filter and seems to come from Johns Hopkins or W.H.O. (World Health Organization). There is usually a tie in to COVID-19 in the subject line. Yes, I know. You’d think this angle has played itself out, but, apparently, it’s still being exploited. Here is an example of one of these emails. I’ve noted a few points to look for.

covid19 email

First of all, the sender’s address is spoofed. It is made to look as if it comes from John Hopkins. Often, these are Gmail addresses. Second, pay attention to the attachment. It seems to bear an appropriate name and appears as an Excel document. Since people may expect data to be presented in such documents, this may seem to be a valid attachment. Finally, the message itself is brief and to the point. It appears to be some sort of daily update from Johns Hopkins. If only these criminals knew how to write in decent English. The last line of the message gives the scam away. “Horrible graphs by United States”? In some of these emails, the attachment was actually named, “horrible graphs”.

Other emails are even worse but promise free COVID-19 tests.


Buy let’s suppose you had a bad night’s sleep and aren’t paying much attention or let’s suppose that you, yourself, are not a native English speaker and can’t see that the message is poorly written. In this case, you may download the attachment to see what’s happening. Surprisingly, you may even get something like the following that seems like valid information.

excel sheet

But there’s an important catch. Before opening the attachment, you will get a warning about enabling macros. The Golden Rule is to never enable macros because that’s like saying, “yes, install malware on my computer.” And that is exactly what will happen if you finally open the attachment. Seeing the image shown above, you may assume all is well. But it is not. You will have installed something called the NetSupport Manager RAT. It will automatically begin to run.

NetSupport Manager is a legitimate Microsoft program that anyone can purchase to remotely control another device. You can even get a free trial period.


The fact that it is a legitimate program means that most antivirus software won’t detect it as malware. Even if you were to get a message that the program was suspicious, you still may not stop it from running because an online check would show it as valid.

Like all RATs, once they are installed, the attackers have full control of your computer. They can remotely look through your files and select the ones they want. They can turn on your camera and make videos. They can watch as you log into your bank account or email, and they can move through any network that you might be connected to. If they happen to locate the company you work for, they can launch a ransomware attack against it to pick up some cash. Yet, another reason companies need to use the best endpoint protection they can get.

There are a number of ways you can get this malware on your device. Often, it comes packaged with infected apps or apps that give you a fake update message, such as the following for Google Chrome.

chrome update

If you happen to be unlucky enough to have installed this malware on your device, you may have some difficulty removing it. This is because your usual antivirus program will not recognize it as a problem. This site gives you the option of downloading free malware removal software or doing a manual removal of your own. Sadly, by the time you get to this point, it is likely that your device has already been compromised and the  attackers have probably already gotten what they came for. In this case, it’s time to reset all of your passwords. It’s a hard lesson to learn but that’s simply the price of not knowing enough about cybersecurity. Next time, you will.




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s