< Back to Blog

Avoid getting bitten by a NetSupport Manager RAT

June 23, 2020

On May 19, Microsoft warned of a massive phishing scam that takes advantage of the COVID-19 pandemic by luring unsuspecting users into opening legitimate-looking Excel files that contain malicious macros.

These malicious macros utilize VBA programming in Microsoft Office macros to inject a user’s system with malware. Cybercriminals have tapped into this simple and inexpensive method to embed malicious code into files, causing the malware to run as soon as the macros are opened. It is not surprising that the hackers chose to use Excel files. Trend Micro reports that Microsoft Office files are the most common file types used in targeted attacks.

When a recipient opens the attachment, malware is deployed and the targeted attack begins. While the phishing scheme can be avoided when users don’t open the attachments, during times of crisis like the current COVID-19 pandemic, the likelihood of a phishing campaign’s success is higher.

According to Microsoft Security Intelligence, this particular phishing campaign began on May 12, and appeared to come from the Johns Hopkins Center. The subject line read, “WHO COVID-19 SITUATION REPORT.”

Fake phishing email impersonating John Hopkins, using COVID to trick readers to click link

Each email includes s a unique malicious Excel 4.0 attachment — hundreds have been used so far —   containing a graph that shows the number of deaths in the USA based on data from the New York Times. But there is more than meets the eye. Hidden in the chart is a macro that – when enabled – automatically downloads and installs a deviation of NetSupport Manager, a commonly-used remote access tool (RAT) used for troubleshooting and tech support.


Once installed, the hacker can gain complete control of the compromised machine and execute commands remotely. Unfortunately, NetSupport Manager RAT is not the first or last phishing attempt that tries to capitalize on COVID-19. Though raising awareness about phishing scams may reduce the campaign’s success rate, it will never result in 100% coverage as there will always be user error, and advanced, sophisticated attacks can trick even seasoned cybersecurity professionals.

How to avoid getting “bitten” by the NetSupport Manager RAT

The only way to stop macro-based threats, including zero-day malware that can’t be detected by traditional protection solutions, is to invest in a solution that neutralizes all malicious elements in any and all incoming files.

Votiro Cloud is the only solution that guarantees complete protection from weaponized files. Unlike detection-based file security solutions that scan for suspicious elements and block some malicious files, Votiro’s revolutionary Positive Selection technology singles out only the safe elements of each file, ensuring every file that enters your organization is 100% safe. Founded in 2010 by leading file security experts, Votiro’s new approach to file security works invisibly in the background, completely eliminating threats while ensuring zero interruption to business. For more information about how Votiro can help you prevent damage from malicious macros, click here for a demo and experience 100% secure for yourself.