COVID-19 Weekly Threat Roundup: June 5

June 5, 2020

Welcome back to the Arctic Wolf COVID-19 Weekly Threat Roundup.  

This series is part of how we're helping our customers and the broader cybersecurity community during this challenging period.  

This news is designed to help you and your team continue to defend your organizations from evolving cybersecurity threats during the COVID-19 pandemic. Each edition summarizes key cybersecurity news for the week and is organized by major themes.  

Each item includes a new cyberattack, with attack vectors, IOCs, and security recommendations (as applicable), combining credible open-source threat intelligence with unique insights from the Arctic Wolf team.  

You can read previous roundups on our COVID-19 blog feed, highlighted with the orange threat roundup banner.  

1. COVID Phishing Continues 

“Hack for hire” Impersonates WHO 

Attack summary: in this new wave of attacks, “hack for hire” firms are exploiting COVID-19 themes to target business leaders in financial services, consulting, and healthcare. These emails purport to come from the World Health Organization (WHO), and encourage targets to sign up for ongoing notifications regarding the pandemic. The supposed signup sites are carefully crafted to resemble the legitimate WHO site, but function as credential stealers, and may also solicit additional personal information.  


Train employees, especially senior employees, about the risks of these spearphishing campaigns; encourage them to never provide login information in response to unsolicited communications 

Use detection and response solutions to identify compromised credentials, or suspicious activity by compromised accounts 

Sources: and

New FMLA campaign delivers Himera and AbSent-Loader 

Attack summary: in this campaign, attackers used email subjects lines related to the Family and Medical Leave Act to induce targets to open their message, then download a document named “COVID-19 PESENTATION.doc”. This document contains a Himera executable, which performs a series of anti-analysis operations and then gathers additional binaries from a remote C2 server. 



  • 97FA1F66BD2B2F8A34AAFE5A374996F8 
  • 4620C79333CE19E62EFD2ADC5173B99A 
  • 4D2207059FE853399C8F2140E63C58E3 


  • http://195[.]2[.]92[.]151/ad/da/drop/smss[.]%5Dexe 
  • http://195[.]2[.]92[.]151/ad/da/gate[.]%5Dphp 


  • Update mail and endpoint security with the latest IOCs to block malicious attachments 
  • Deploy detection and response solutions to identify compromised systems and suspicious connections to C2 servers  


Additional FMLA Campaign Delivers Banking Malware BokBot 

Attack summary: In this campaign, attackers also used emails referencing the Family and Medical Leave Act. The email claims to originate from a supposed “COVID-19 CENTER” using a spoofed address. The payload was a malicious document entitled FMLAINSTRUCTIONS.doc, which uses macros to deliver an executable, containing the BokBot malware.  


File names



  • Use mail and endpoint security with regular updates to identify and block malicious attachments 
  • Train employees about the risks of macros 
  • Consider detection and response solutions to identify C2 connections and data exfiltration from malware like BokBot 


Alpha Bank Phishing Campaign Distributes GuLoader 

Attack summary: In this campaign, attackers impersonate Alpha Bank, one of the largest banks in Greece. The email refers to a fictitious “dalay in payment” resulting from the COVID-19 pandemic. The attachment contains GuLoader, an advanced malware downloader. Subsequent malware activity is consistent with an infostealer payload. 



  • doc-04-3k-docs[.]googleusercontent[.]com 
  • mail[.]lacore[.]ee 


  • 37[.]49[.]230[.]163 


  • 8b91664ce266b3f29b75db596569af62359e77deb2d7a9beb88dd92c84cb7cab  
  • 746aa0624ebdf5ef5d341694688cdad63f0950c31c612a37e92745f7c699a688 
  • 6c57609bd1a564ee9e0d10438b4a6dddde014c7caba0a35cc6317aab71ea5b9e 


  • Maintain email security training programs 
  • Use mail and endpoint security to block the listed IOCs 
  • Consider detection and response solutions to identify activity by GuLoader or infostealers  


Researchers Analyze Common COVID-19 Malware Varieties 

Attack summary: over the course of the pandemic, COVID-19 themes have been used to distribute a wide range of existing malware strains. In this report, researchers highlight five malware varieties as especially common among COVID-19 campaigns: AveMaria and LokiBot, Remote Access Trojans; NetWiredRC, a backdoor; AZORult, an infostealer; and DanaBot, banking malware. 


  • Ensure that endpoint and AV tools have been updated with IOCs for all major malware varieties 
  • Deploy security operations solutions to benefit from constant threat intelligence updates and managed detection tuning. 


2. Mobile Phishing Tied to COVID-19 

Researchers Report High Volume of Malicious COVID Texts 

Attack summary: attackers have exploited multiple methods of distribution for COVID-themed campaigns. Researchers are now reporting that, at the peak of these campaigns as many as 5% of COVID-related SMS messaging may have been phishing or another high-risk attack, often employing URL shorteners to obscure malicious links. Another security group observed a 37% growth in mobile phishing encounter rates from the last quarter of 2019 to the first quarter of 2020. 



  • www[.]Scotia-0nline[.]com 
  • hxxps://client-7492703[.]online 
  • hxxps://uk-covid-19[.]webredirect[.]org 

Apparent Senders 

  • Scotiainfoalerts[@]scotiabank[.]com 
  • +15197551999 
  • covid 


  • Train employees about the risk of phishing attempts targeting mobile devices through SMS 
  • Establish security policies for work use of employee devices 
  • Evaluate detection and response solutions that can integrate endpoint and mobile detection into broad security awareness 

Source: and

3. New Remote Work Threats  

Office 365 Phishing Spoofs VPN Issue 

Attack summary: In this campaign, attackers targeted employees using Office 365, which has seen an enormous spike in usage from pandemic-related remote work. The malicious email spoofs the company’s own domain and tells users they need to update their VPN configuration, then directs them to a credential-stealing page. Attackers hosted this page on Azure, creating the illusion of a legitimate Microsoft service; the SSL certificate meant that browsers would display the “secure” padlock on the malicious page.  


  • Train employees about the risk of phishing campaigns, including campaigns that may impersonate internal resources 
  • Use mail security best practices to help users identify external emails spoofing internal sources  
  • Use detection and response solutions to identify when credentials have been stolen by suspicious sites  

Sources: and

Zoom Vulnerabilities Enable Code Execution (patched) 

Attack summary: security researchers announced two vulnerabilities within Zoom, the popular video teleconferencing software, that would have permitted code execution. In one, a specially crafted message would exploit the pathway typically used to pull GIFs from a Giphy server to achieve arbitrary file write, and potentially arbitrary code execution. In the other, a specially crafted message would exploit the Zoom client handling of shared code snippets to achieve arbitrary binary planting and potentially arbitrary code execution. As per policy, researchers shared these vulnerabilities with Zoom, which issued patches.  


  • Because these vulnerabilities have been resolved, no action is required to protect employees from them in particular 
  • However, the ongoing discovery of vulnerabilities in major collaboration tools such as Zoom emphasizes the importance of a risk management solution to the security of a remote workforce 



Previous Article
The Top 5 Cyberattacks of May 2020
The Top 5 Cyberattacks of May 2020

The Top 5 Cyberattacks feature a large email breach, a ransomware attack on a plastic surgery studio, a DDo...

Next Article
Channel Day 2020: One Team, 100 Percent Channel
Channel Day 2020: One Team, 100 Percent Channel

Channel partners have always been at the core of Arctic Wolf's go-to-market strategy, learn more about Chan...


Get cybersecurity updates delivered to your inbox.

First Name
Last Name
Yes, I’d like to receive marketing emails from Arctic Wolf about solutions of interest to me.
I agree to the Website Terms of Use and Arctic Wolf Privacy Policy.
Thanks for subscribing!
Error - something went wrong!