COVID-19 Weekly Threat Roundup: April 10

April 10, 2020 Louis Evans

Welcome to back to the Arctic Wolf COVID-19 Weekly Threat Roundup. 

This series is part of how we’re helping our customers and the broader cybersecurity community during this challenging period. 

This news is designed to help you and your team continue to defend your organizations from evolving cybersecurity threats during the COVID-19 pandemic. Every Friday we will summarize key cybersecurity news for the week, organized by major themes.  

In each item we’ll include a new cyberattack, with attack vectors, IOCs, and security recommendations (as applicable), combining credible open-source threat intelligence with insights from the Arctic Wolf team. 

You can read last week’s roundup here.  

Let’s get started. 

1. Continued COVID Phishing 

Stimulus Phishing  

Attack summary: Phishing campaigns falsely offering stimulus or relief funds continue to proliferate. Many of the recent campaigns impersonate particular prominent financial institutions. In this campaign, malicious actors impersonated American Express and linked to a Google Doc which pointed to an additional malicious link.  

IOC(s): https://worldsatellitemedia[.]com/wp-includes/class.php 


  • Inform employees about the risk of stimulus phishing.  
  • Emphasize the possibility that a phishing email will impersonate their own financial institution. Remind them to contact their bank (or other financial institution) via a known method to verify inbound communications.   
  • Ensure that mail security identifies known-malicious domains and links from the latest threat intelligence.  
  • Use detection and response solutions to identify any systems or accounts compromised by advanced attackers 


COVID-19 Nigerian Prince/419 Scam 

Attack summary: In the Nigerian Prince scam, malicious actors distribute emails claiming to offer a large sum of money, but ask for a small fee up front. In this case, the offer is justified with reference to the COVID-19 pandemic.  

IOC(s): the reply-to used in this attack was who.specialfundsdpt01[@]gmail[.]com 


  • Advise employees about the risk of advanced-fee scams. 
  • Ensure that mail security identifies known-malicious domains and links from the latest threat intelligence.  


COVID Impersonation Phishing: “CEO message” 

Attack summary: In this COVID phishing scheme, the email pretended to be an urgent message from the CEO with critical COVID employee information. The payload was a PDF which included an obfuscated malicious URL. The attack ultimately led to a page used to steal Microsoft credentials.  


  • Maintain email security training programs. 
  • Use mail tools to flag all external emails as [EXTERNAL] in the subject line, making it harder for malicious actors to impersonate company officers. 
  • Maintain clear, open, and regular pathways for COVID-19 related communication, so that employees can recognize legitimate updates and differentiate them from scams. 
  • Use detection and response solutions to identify any systems or accounts compromised by advanced attackers. 


WHO Spearphishing Campaign 

Attack summary: In this spearphishing campaign, attackers impersonated the WHO. The false email promised to correct COVID-19 information and contained a malicious attachment, compressed to avoid identification.  


File IOCs

  • [SHA256: 9e17f5e70c30ead347b68841fa137015d713269add98f0257fb30cc6afdea4fe] 
  • [SHA256: f8e041bed93783bbd5966bfba6273fe7183464035ea54fe1d59ff85a679b3e3e] 

Network IOC

  • hxxp://bslines[.]xyz/copy/five/fre.php 


  • 159[.]69[.]16[.]177 


  • Ensure that mail security and antivirus identify malicious links and files with the latest threat intelligence. 
  • Use detection and response solutions to identify any systems or accounts compromised by advanced attackers. 


Upcoming Collaboration Tool Phishing  

Attack summary: security researchers have identified a number of domains registered by malicious actors with the apparent intent of impersonating links to legitimate collaboration tools, including Zoom and Office365.  


  • us04wbzoom[.]us  
  • us04webroom[.]us  
  • us04webzom[.]us  
  • us04webzoo[.]us  
  • us04webzoom[.]us  
  • us04webzooms[.]us  
  • us04webzoon[.]us  
  • us04webzooom[.]us  
  • us04wenzoom[.]us  
  • us04wezoom[.]us  
  • us04wrbzoom[.]us  
  • us0webzoom[.]us  
  • us4webzoom[.]us  
  • offic365[.]us  
  •  offoce365[.]us  
  •  outlookoffice365[.]us  
  •  office36[.]us  
  •  offic365[.]us  
  •  offoce365[.]us  
  •  outlookoffice365[.]us  
  •  office36[.]us  
  •  ofice365[.]us 


  • Train employees about the risk of malicious domains impersonating collaboration tools. 
  • Ensure that mail security identifies malicious URLs with the latest threat intelligence. 
  • Use detection and response solutions to identify systems or accounts compromised by malicious domains. 


2. Malicious Mobile Apps Exploit COVID-19 Concerns 

Attack summary: Malicious actors are using the COVID-19 pandemic to drive downloads of mobile applications containing malware. COVID-19 themed apps on third-party download sites may install malicious code or request dangerous permissions. This threat is especially serious for businesses, as remote workers are more likely to work on personal devices.  


  • Mobile app name | Indicator |  App store name
  • Coronavirus Live Statistic  | Dangerous permissions | Aptoide
  • Coronavírus – SUS | Dangerous permissions | Aptoide 
  • Coronavirus – COVID-19 | Malware | Aptoide 
  • Coronavirus : Covid-19 news app FREE | Malware  | All Free APK 
  • Daily News – COVID-19, Coronavirus Live Updates 1.0.4 APK | Dangerous permissions  | APK Tools 
  • Pandemic Tracker – CoronaVirus (COVID-19) 1.0 APK  | Dangerous permissions | Full APK Download 
  • COVID News – Italia APK  | Malware | Download APK 
  • COVID-19 Guidelines 5.10.1 APK | Dangerous permissions | APK PLZ 


  • Train employees to download applications only from trusted stores or sites. 
  • Ensure that business information is held only on business devices, even during remote work.


3. Charity Scams 

Indian “PM Cares” Donation Scam 

Attack summary: The Indian government has established the “PM CARES” fund to collect donations from citizens to support coronavirus response. The Maharashtra Cyber police report 78 cases of false donation links, some of which were spread on social platforms such as Facebook and TikTok.  

IOC(s): The police did not release the malicious links, but emphasized the valid Unified Payment Interface (UPI) ID, pmcares[@]sbi 


  • Advise employees about the risk of donation scams, including scams impersonating known charities.  
  • Inform employees of the risks of digital payment tools, which may not allow refunds or verify recipients. 


4. Institutional Guidance on COVID-19 Related Threats 

The US DHS, US Cybersecurity and Infrastructure Security Agency (CISA), and UK’s National Cyber Security Centre (NCSC) have released an update on the risk of COVID-19 related cybercrime, with summaries of attacks and additional posted IOCs.


NIST has released an Information Technology Bulletin summarizing security guidance on remote working.


Interpol advises hospitals on growing risk of ransomware, security best practices to avoid ransomware infection.



About the Author

Louis Evans

Louis Evans is a Product Marketing leader at Arctic Wolf Networks, where he works specifically on field and partner enablement and training. He’s passionate about understanding and fighting back against the next generation of cybersecurity threats.

You might also be interested in...
Previous Article
Creating Your Cybersecurity Business Continuity Plan
Creating Your Cybersecurity Business Continuity Plan

A cybersecurity business continuity plan is crucial for your organization to recover quickly. Find out how ...

Next Article
The Top Cyberattacks of March 2020
The Top Cyberattacks of March 2020

The Top Cyberattacks of March saw drastic changes in the workforce due to COVID 19, along with new threats,...


Get cybersecurity updates delivered to your inbox.

First Name
Last Name
Yes, I’d like to receive marketing emails from Arctic Wolf about solutions of interest to me.
I agree to the Website Terms of Use and Arctic Wolf Privacy Policy.
Thanks for subscribing!
Error - something went wrong!