New Malware Attack Detected with Fake Pandemic Info from Johns Hopkins

May 27, 2020 by ACA Aponix


Microsoft Security Intelligence has issued a security warning regarding a massive malware attack that is currently underway. In this attack, bad actors send emails purporting to be from Johns Hopkins Center containing supposed COVID-19 information. The emails contain Excel attachments typically titled “WHO Covid-19 Security Report.” When users click on the file, a malicious macro downloads the NetSupport Manager remote access tool (RAT) which enables remote access into the system. The criminals then install additional malware on the system, access and exfiltrate data, and use the system for other illegal activity via a remote command and control server. Similar NetSupport Manager malicious downloads have been noted using emails purporting to provide COVID-19 personal testing and services. Per Microsoft, the use of NetSupport Manager in phishing attempts has been noted previously, but since May 12, criminals have shifted to using COVID-19 information as a lure in these efforts on a “massive” basis.

ACA Guidance

ACA recommends that individuals and companies as a whole continue to maintain extra vigilance toward information purporting to provide pandemic-related information and services, particularly when from an unknown source.

  • Implement and refresh a user training program, focusing on prevention of phishing, spearphishing, and other forms of social engineering, with particular emphasis placed on pandemic-related lures.
  • When confronted with questionable information, open a browser and search for news regarding the suggested message, which will likely reveal its malicious intent.
  • Exercise extreme caution when accessing emails with attachments; only open attachments from reliable sources.
  • Use Trust Center to block the execution of macros. Consider blocking Excel and other Office attachments if not routinely needed from external parties.
  • Ensure all operating system, anti-malware, and device patches are regularly installed via a mandatory patching policy.
  • Ensure device patching programs reach and are enforced for users in the work from home environment.
  • Perform a cybersecurity risk assessment, in which potential areas of risk are located, and controls are subsequently detailed.
  • Test network vulnerability with internal and external penetration testing.
  • Ensure access to networks and devices are closely monitored and authenticated. Enforce a strong password policy, while simultaneously using multi-factor authentication.

Additional Resources

ACA is actively monitoring the developments related to COVID-19 and producing resources to help your firm address operational challenges created by this pandemic. Visit our COVID-19 Resources page to access all of the resources we've developed that may help your firm navigate through the restrictions in place to curb the pandemic.

Read More

How We Help

ACA offers the following solutions that can help firms enhance their cybersecurity in light of the announced Apple iPhone and iPad email vulnerability:

Contact Us

If you have any questions, please contact your ACA Aponix consultant or email us at info@acaaponix.com.