COVID-19 Weekly Threat Roundup: April 3

April 3, 2020 Louis Evans

Welcome to the first Arctic Wolf COVID-19 Weekly Threat Roundup.

This is a new series we’re spinning up to help our customers and the broader cybersecurity community during this challenging period.

This news is designed to help you and your team continue to defend your organizations from evolving cybersecurity threats during the COVID-19 pandemic. Every Friday we'll be summarizing key cybersecurity news for the week, organized by major themes.  

In each item we’ll include new attack vectors, IOCs, and security recommendations, combining credible open-source threat intelligence with insights from the Arctic Wolf team.

Let’s get started.

1. Zoom and Video Teleconferencing (VTC) 


Attack summary: The exponential growth in remote work has led to similar growth in videoconferencing, often through Zoom. But such meetings are often insecure, creating the risk of hijacking, aka “Zoombombing”, where malicious actors disrupt meetings or classes. 

IOCs: N/A. A hijacked video conference is immediately apparent to all users.  


  • Secure videoconference meetings with a password. Set your meeting scheduler to password-by-default.  
  • Ensure that videoconference links are not posted or shared publicly. 
  • Where possible, manage screensharing options (e.g., “Host Only”) to prevent hijacker disruptions.  


Zoom “War Dialing”

Attack summary: Videoconference threats aren’t limited to hijacking. Because Zoom links can be accessed from any system, they are vulnerable to “war dialing”, where an attacker brute-force guesses meeting ID codes. If a valid code is found, the attacker can access meeting information including date, time, subject, and organizer. This leak can reveal sensitive business information. Consider, e.g, a meeting entitled “Restructuring Plans” scheduled by a major company CEO or CFO.  

IOCs: None. Breach occurs at the service provider level.  


  • Secure videoconference meetings with a password. Set your meeting scheduler to password-by-default. 
  • Avoid including sensitive information in meeting invitations. 


2. COVID Phishing 

COVID Phishing Bypasses Advanced Threat Protection 

Attack summary: This phishing campaign exploited COVID by pretending to be a news alert from the World Health Organization (WHO). It avoided detection by ATP tools by impersonating a valid sender (splashmath[.]com, an online learning game for kids) using a spoofed US IP address. Targets who clicked the link were led to a valid-seeming Microsoft Office login page, which harvested their credentials.  

IOCs: Users are supposedly sent to:  

  • URL: hXXp://o[.]splashmath[.]com/ls/click upn=H2FOwAYY7ZayaWl4grkl1LazPuy6jduhWjWPwf0O2D 
  • IP: 167[.]89[.]118[.]52 or 167[.]89[.]123[.]54 

But instead are maliciously redirected to: 


  • hXXps://heinrichgrp[.]com/who/files/af1fd55c21fdb935bd71ead7acc353d7[.]php 
  • hXXps://coronasdeflores[.]cl/who 
  • hXXps://www[.]frufc[.]net/who/files/61fe6624ec1fcc7cac629546fc9f25c3[.]php 
  • hXXps://pharmadrugdirect[.]com/who 
  • hXXps://ee-cop[.]co[.]uk/who/files/3b9f575dac9cc432873f6165c9bed507[.]php 


  • 31[.]193[.]4[.]14 
  • 186[.]64[.]116[.]135 
  • 87[.]117[.]220[.]232 
  • 31[.]193[.]4[.]14 
  • 82[.]166[.]34[.]188 


  • Train users about the risk of COVID-themed phishing attacks. 
  • Ensure email security is updated with most recent IOCs. 
  • Monitor for account takeover risk. 
  • Monitor for suspicious activity on Microsoft Office accounts.

Stimulus Phishing 

Attack summary: Since governments began to respond to the coronavirus pandemic, threat actors have exploited the situation with fake emails promising cash payments or other relief, such as a SILENTNIGHT distribution campaign targeted primarily at Canada. With the recent passage of the coronavirus stimulus package, the CARES act, these attacks are expected to grow sharply within the US.  


Talos has noted an increase in suspicious stimulus-themed domain registration. Once domains are confirmed to be malicious, they will be added into existing threat intelligence feeds.  

The SILENTNIGHT sample from the campaign mentioned above connected to C&C servers at: 

  • http://marchadvertisingnetwork4[.]com/post.php 
  • http://marchadvertisingnetwork5[.]com/post.php 
  • http://marchadvertisingnetwork6[.]com/post.php 
  • http://marchadvertisingnetwork7[.]com/post.php 
  • http://marchadvertisingnetwork8[.]com/post.php 
  • http://marchadvertisingnetwork9[.]com/post.php 
  • http://marchadvertisingnetwork10[.]com/post.php 


  • Train employees about the risk of stimulus phishing. Remind them that the US government will never disburse funds through an email alert.  
  • Ensure your mail security tool is continuously updated with the most recent threat intelligence.  
  • Maintain endpoint protection and detection and account takeover detection activities.  


Fake Charity Attack 

Attack summary: During natural disasters, attackers will play on targets’ generosity and eagerness to help out. This attack spoofs a WHO email address and solicits bitcoin donations.  


  • Train employees about the risk of donation scams 
  • Ensure that mail security identifies known-malicious domains 


Fake Cure Attacks  

Attack summary: Other phishing campaigns have exploited hopes around potential coronavirus treatments or cures. In one reported attack, the phishing email pretends to have documents on a cure, but the link leads to a malicious site that steals Microsoft Office credentials. Another attack attempts to engage the target in discussion, probably to steal PII or fraudulently receive money.  


  • The actual sender IP of the first attack is: 
  • The email address used in the second attack is: 


  • Train users about the risks of cure or treatment scams. 
  • Ensure that mail security identifies known-malicious domains. 
  • Use endpoint security to identify connections with scam login pages. 


3. Attacks on COVID Institutions 

Brno University Hospital Cyberattack 

Attack summary: The COVID pandemic has led to increased public awareness of existing health and research institutions. This higher profile may attract existing threat actors using known or familiar techniques. In this particular attack, Brno University Hospital, a leading Czech coronavirus testing center, was disabled and forced to suspend activities.  


The details of this attack have not been publicly released. However, the profile suggests that it was likely a ransomware attack, probably by a known strain.  


Institutions with an increased public profile during the coronavirus pandemic must increase their security posture. 

Ransomware typically exploits one of three attack vectors:

  • Phishing
  • Known software vulnerabilities
  • Remote desktop protocols 

Focus on email security, vulnerability management and patching, and proper RDP configuration to prevent such attacks.   


Cyberattack Against WHO  

Attack summary: No institution has experienced a greater rise in prominence than the World Health Organization, WHO. In this attack an organized threat group, possibly DarkHotel, created a spoof website designed to imitate WHO’s internal email system, to collect credentials from multiple agency staffers. The attackers are believed to be seeking persistent access to collect information about outbreaks, testing, vaccines or cures, any of which could have tremendous value.  


The spoof website used will be different for each attack of this type.  


  • Any organization which has any proprietary information on COVID-19 may be facing unusually disciplined and organized attackers. This could include health and biomedical, governments and NGOs, and even journalism and data analysis. 
  • Such organizations must enhance defenses against account compromise/data breach, including mail security and network and endpoint security. 
  • Monitor cloud systems for any indicators of account compromise.
  • Develop active relationships with the security community for enhanced awareness of any public advanced threats.


4. Advanced WFH attacks 

Teddy Bear and USB Malware Attack 

Attack summary: In this new attack, hacking group FIN7 mails a USB flash drive to targets, along with a (supposed) gift card or teddy bear, and deceptive instructions to insert the drive in the target’s computer.

The drive emulates a USB keyboard, which PCs trust by default. It uses these permissions to deliver a multi-stage powershell payload which downloads additional malware (from hxxps://milkmovemoney[.]com/st/mi.ini), creates a two-way connection with a command and control server. 


  • bece1545132af25c68777fade707046c (2nd stage Powershell) 
  • 84d77a3b76ac690ce7a60199c88ceeb5 (prada.txt) 


  • Train employees never to connect unauthorized devices, including unsolicited deliveries, to secure systems, including personal devices for employees working from home. 
  • Review endpoint detection alerts for new USB devices plugged in. 
  • Monitor endpoint and network detections for above IOCs.

Linksys Router Brute Force Attack 

Attack summary: Another new vulnerability for organizations is the home network. In this attack, attackers brute-forced management credentials to access home Linksys routers, then redirected specific pages to malicious coronavirus-themed pages. The payload of this attack was ultimately infostealer malware.  


The malicious IPs used in this attack were: 



  • Users should change router control access credentials, Linksys cloud account credentials, and any other remote access credentials for home networks 
  • Users should establish appropriate segmentation for home network, if possible 
  • Organizations should develop security policies and recommendations for home networks, or establish a VPN to ensure that employees are accessing more-secure business networks 


5. Misc. Attacks  

Plugin Attack  

Attack summary: The COVID-19 outbreak has created an incredible public appetite for the latest information about the pandemic. Researchers have stepped up, producing data resources with unprecedented scope, detail, and speed. But attackers are exploiting these new resources with malicious imitators.

Attackers are distributing a WordPress plugin, supposedly a coronavirus map, that includes a malicious backdoor. This backdoor is then used to inject malicious ads on target sites or performs unauthorized redirects.


Hashes of the malicious plugins: 

  • 41231094279d97465f8f85399ea3039ca0b7519a2a205a265163254f84b84f9b

  • e555509b83f74d126f63a207c0879feb22cd003f7bd0a35eb7290445192084f5

  • 8071a4602080a148e8bdd3021d5e3461c805534e0e46520787c05b2ac2489a0a

  • 948009373243b1f30f55ba35a66c0687cd2f0d2e213607969fba71a828345033 


  • Website owners should never download plugins from unauthorized sites. 





About the Author

Louis Evans

Louis Evans is a Product Marketing leader at Arctic Wolf Networks, where he works specifically on field and partner enablement and training. He’s passionate about understanding and fighting back against the next generation of cybersecurity threats.

You might also be interested in...
Previous Article
The Zoom Boom: What Does it Mean for Your Organization?
The Zoom Boom: What Does it Mean for Your Organization?

As Zoom starts to dominate mobile app installs, what impact is it having in the business environment?

Next Article
Windows 7: The Dangers of Not Updating
Windows 7: The Dangers of Not Updating

With support ending for Windows 7, your PC is more vulnerable to security risks and viruses if you haven't ...


Get cybersecurity updates delivered to your inbox.

First Name
Last Name
Yes, I’d like to receive marketing emails from Arctic Wolf about solutions of interest to me.
I agree to the Website Terms of Use and Arctic Wolf Privacy Policy.
Thanks for subscribing!
Error - something went wrong!