COVID-19 Weekly Threat Roundup: June 19

June 19, 2020

The COVID-19 Weekly Threat Roundup series is part of how we’re helping our customers and the broader cybersecurity community during this challenging period.  

This news is designed to help you and your team continue to defend your organizations from evolving cybersecurity threats during the COVID-19 pandemic. 

Each item includes a new cyberattack, with attack vectors, IOCs, and security recommendations (as applicable), combining credible open-source threat intelligence with insights from the Arctic Wolf team.  

You can also read previous roundups on our COVID-19 blog feed, highlighted with the orange threat roundup banner.  

1. Malicious Phone Apps Exploit COVID-19 

Fake COVID-19 Tracing Apps Download Malware  

Attack Summary: Multiple countries have released smartphone applications used to track COVID-19 and provide health information to citizens. In these attack campaigns, malicious actors release applications designed to impersonate legitimate COVID tracking apps. These fake apps contain or download commodity Android malware, including banking trojans and spyware.  



  • c448ae9ad80f088e9296f08a114605e2 
  • 66b3529f7589cac62960bfacc9dbc5f4 
  • 0ba9d47e0d9fa0b6db4f397a34f7efab 
  • 1d94952245f517602227938a26c498006143d7b8a92dd259f595715255b99ade 
  • 885d07d1532dcce08ae8e0751793ec30ed0152eee3c1321e2d051b2f0e3fa3d7 
  • 41bb86666543349bbf82e157b4d69a893f9b9c0fd37a8dce59048d8e000af3d6 
  • add9a29ee75b55ec8d6d7ee4f5119084edbeb3db04cbcce0af30c28758182296 
  • 8b8dfb8fa7c313d9d7c1b1a67646abdb54d8cfd18773b136a10f191ca27098fc 
  • d7fc4377b7a765d6bc3901d0de01008095965d02062fda3707957163afe8884d 
  • a03fe22f32b683a34c452a74fbc8e78f5f33132332149fe726945397c37d37a6 
  • e6786770a2a81ce798178f4eef4ae2290dfb1977ba5ced8cdbd01ddca3fadd17 
  • a76bb2e56079dca73d759cdae9857cd5626c200785f004e492f60ce52784f745 
  • cafc2a8e3dc818de9bb5b0eff1a9983426e5db9cc8c0d42905cefeb99b442099 
  • a891a9f77671623f6c397a03bc9ec7effc362a56e6f2ebb22967eeb6e4e9a14d 
  • a9eaea748420a5f832a208b35be7107b5fef389a844c0659688466d3a8fd3eb6 
  • 090b5fb792b62225df6ca55fac2d96b630d596a61b7071009e0084056d04240a 
  • be2a9bbdb89e48b5eadc52830d6f92dc4355adc2bc95d5ac5d6748fee68acf1c 


  • Train employees about the risk of malicious applications impersonating official COVID apps 
  • Establish security policies about work use of personal devices to reduce data exposure 
  • Use detection and response solutions to identify systems compromised by malicious applications 

Source: and

2. Attacks on Remote Commerce 

Attackers Targeted Claire’s E-Commerce When Stores Closed 

Attack Summary: Magecart is a hacker group that typically targets e-commerce platforms. In this attack, they targeted Claire’s, a fashion retailer. On March 20, Claire’s closed three thousand locations worldwide in response to the coronavirus pandemic. The next day, an anonymous party registered the domain “claires-assets[.]com”. Then, attackers inserted malicious code onto store servers, so that each order would exfiltrate data to their malicious domain. When informed by security researchers, Claire’s remediated the error.  


  • Businesses that use e-commerce platforms should evaluate their security posture in light of a likely increase in attacks against e-commerce 
  • It is not clear how Magecart compromised Claire’s e-commerce platform; attack vectors may include leaked credentials, spearphishing, or network compromise 
  • Use detection and response and account takeover solutions to protect against potential vectors of compromise 


 FBI Warns of Attacks on Mobile Banking Apps 

Attack Summary: The FBI has issued a warning about increasing attacks against mobile banking. The warning notes that mobile banking has surged 50% since the beginning of 2020, and highlights app-based banking trojans and fake banking apps as major mobile banking threats.  


  • Warn employees about the risk of mobile banking attacks 
  • Implement multi-factor authentication security for banking and other secure accounts 
  • Use detection and response solutions to identify malicious applications on business endpoints, including employee devices used for work activities 


3. COVID Phishing Update 

New Hacker Organization, “Vendetta”, Impersonates Taiwanese CDC 

Attack Summary: “Vendetta”, a new hacker organization active since May of 2020, is focused on COVID-19 related phishing campaigns. In this campaign, Vendetta impersonated the Taiwanese CDC and falsely informed targets that a close contact had contracted a case of COVID-19. The phishing email encouraged targets to download an attachment with information for making a testing appointment. The malicious attachment moves through multiple obfuscation layers before finally deploying the Nanocore Remote Access Trojan.   



  • 172[.]111[.]188[.]199 


  • 0aa87ed22e193e1c6aa9944cf1b9e88ec4ae6a5b3f975e3fb72c0f5b06b864f2 
  • 51B0165FBA9CF8E0B7BFEBDC33E083ECC44D37CDBB15B5159B88B71E52B0255B 
  • 0aa87ed22e193e1c6aa9944cf1b9e88ec4ae6a5b3f975e3fb72c0f5b06b864f2 
  • 51B0165FBA9CF8E0B7BFEBDC33E083ECC44D37CDBB15B5159B88B71E52B0255B 
  • d5d3cf535b3313077956d5708225cf8029b039ed0652ee670ce25ea80d2b00c0 
  • 19B5353BF8A69A64536C865A4890B69EE1DCD59445968E1CFD94C62E1A97B11E 

Further hashes related to Vendetta are available at the source link below 


  • Ensure employees are aware of the risk of phishing campaigns impersonating health authorities 
  • Update mail and endpoint security with the latest IOCs to block attacks 
  • Employ detection and response solutions to identify systems compromised by malware, or connections back to C2 servers, in order to promptly respond to attacks 


Phishing Attack Spoofs Reimbursement Policy, “COVID-19 Relief Plan” 

Attack Summary: In this broad campaign, attackers distributed malicious HTM files as attachments in emails purporting to come from targets’ Human Resources departments. The user is encouraged to log on and review a policy, and redirected to a phishing page that steals O365 credentials. 


  • Implement mail security controls to help employees recognize external actors impersonating company departments 
  • Detection and response solutions can identify when credentials are shared with malicious sites 
  • Account takeover risk solutions can identify compromised credentials, enabling businesses to mitigate risk 



Previous Article
Harden Your Cloud Environments With Cloud Security Posture Management for AWS
Harden Your Cloud Environments With Cloud Security Posture Management for AWS

Introducing Cloud Security Posture Management (CSPM). Cloud Inventory Reporting. Cloud Environment Benchmar...

Next Article
How a COVID-Inspired Cyber Fraud Cost Washington State Hundreds of Millions of Dollars
How a COVID-Inspired Cyber Fraud Cost Washington State Hundreds of Millions of Dollars

Find out how a massive unemployment fraud scheme cost Washington state hundreds of millions of dollars.


Get cybersecurity updates delivered to your inbox.

First Name
Last Name
Yes, I’d like to receive marketing emails from Arctic Wolf about solutions of interest to me.
I agree to the Website Terms of Use and Arctic Wolf Privacy Policy.
Thanks for subscribing!
Error - something went wrong!