COVID-19 Weekly Threat Roundup: May 15

May 15, 2020

Welcome back to the latest edition of the Arctic Wolf COVID-19 Weekly Threat Roundup.     

 This ongoing series is part of how we’re helping provide information to our customers and the broader cybersecurity community during this challenging period.     

This news is designed to help you and your team continue to defend your organizations from evolving cybersecurity threats during the COVID-19 pandemic. Every Friday we're summarizing key cybersecurity news for the week, organized by major themes.      

In each item we’ll include a new cyberattack, with attack vectors, IOCs, and security recommendations (as applicable), combining credible open-source threat intelligence with insights from the Arctic Wolf team.   

  You can read previous roundups on ourCOVID-19 blog feed, highlighted with the orange threat roundup banner.    

1. Fake Aid Spoofs New Organizations 

Fictitious Microsoft Relief Collects Personal Information 

Attack summary: Since the beginning of the COVID-19 outbreak, we’ve seen a wide range of cyberattacks that spoof social services or relief agencies. In this attack, malicious actors purport to represent a fictitious “Microsoft Coronavirus Relief Fund”. The email instructs targets to fill out an attached PDF with personal sensitive information, and send it to the attackers to receive a grant.  


  • 194[.]44[.]228[.]194  
  • 153[.]126[.]176[.]199  


  • Update mail and network security with latest IOCs 
  • Discuss best practices about sharing personal information with staff 


Spoofed Treasury Email Delivers Adwind RAT 

Attack summary: In this campaign, attackers spoof the US Treasury and inform targets of an unclaimed payment. The message suggests some connection to COVID-19 relief efforts and encourages targets to download a zip file. The zip file contains the Adwind Remote Access Trojan (RAT). Interestingly, Adwind calls back to a domain that purports to offer legitimate remote access software. The connection between this domain and the attackers is unclear.  


Main object- "CONTRACT PAYMENT .zip" 

  • sha256: e5634d3c9b42420c971a6ace2eec7ff736d9679bf2611413a26dc18e115bcb44  
  • sha1: 7b29d1fcce9fa63d5ae2b7e0ad6bfbd9cbe75376  
  • md5: 30c37a52f7b4d9f36d38a9977bc04f2e  

Dropped executable file: 

  • C:\Users\admin\qnodejs-node-v13.13.0-win-x86.tmp107027949920\node-v13.13.0-win-x86\node_modules\npm\node_modules\term-size\vendor\windows\term-size.exe  
  • sha256: 87808453a974763661a0ac83375ae4f9733207653d1627ea7900bb85be1f6c57  

DNS requests:

  • C2 domain  


  • IP:  


  • Use mail, network and endpoint security, updated with the latest threat intelligence, to identify and block attacks of this type 

  • Use detection and response solutions to identify users and systems compromised with malware 

  • Train employees about the risk of phishing, malware, and zip downloads 

Fake IRS campaign targets email credentials 

Attack summary: In this campaign, attackers impersonate the IRS and purport to direct targets to a DocuSign page. The fake DocuSign page collects the target’s email address, and then redirects them to a login page imitating their email provider. This second phishing page collects email credentials, then directs targets to an irrelevant document.  


  • Network IOC: hxxp://playdemy[.]org/office/doc-new 

  • IP: 206[.]123[.]154[.]15 


  • Use mail and network security to identify and block phishing emails and webpages 

  • Implement detection and response solutions to identify credential compromises 

  • Use account takeover awareness solutions to identify compromised user accounts 


2. Phishing Campaigns Deliver Malware 

Two New Phishing Campaigns Distribute LokiBot 

Attack summary: Phishing campaign messaging is evolving to track developing COVID-19 themes. A new LokiBot distribution campaign identified by Microsoft highlighted a “business continuity” message, though attackers still spoofed a CDC source address. Another campaign exploited traditional banking themes, with only a minor mention of COVID-19. Both campaigns distributed an .arj file containing executables disguised as PDFs. These executables deliver the LokiBot trojan, which steals saved browser and application passwords.  


  • Implement detection and response solutions to identify systems compromised by malware that has bypassed mail and perimeter security tools 

  • Train employees about mail security, including suspect attachment types  


New Sphinx Strains Target Banking Credentials 

Attack summary: Sphinx is a known banking Trojan, ultimately deriving from the 13-year-old Zeus malware family. After a lengthy hiatus, Sphinx campaigns began to reappear in late 2019, and have continued into 2020, adopting COVID-19 themes to deliver Sphinx through maldocs (e.g., by spoofing Canadian PM Justin Trudeau). Once deployed, Sphinx ensures persistent stealthy operations within the OS, hooks to browser sessions, and covertly transmits banking credentials back to C2 servers. 


  • Use mail security and employee trainings to mitigate the risk of malware phishing campaigns 

  • Implement effective endpoint and detection and response solutions to prevent persistent malware from gaining a foothold on systems, and to identify systems that have been compromised  

Attack summary: Throughout the COVID-19 pandemic, healthcare and other pandemic-related organizations have reported an elevated rate of cyberattacks. Magellan Health Inc., a Fortune 500 healthcare and insurance firm, announced that it was a victim of a ransomware attack in April. Attackers compromised Magellan with a phishing email impersonating a Magellan client, then exfiltrated data including sensitive personal information from a targeted server.  


  • Tune mail, network, and endpoint security with the latest threat intelligence to identify phishing campaigns and ransomware 

  • Use detection and response solutions to identify systems compromised with ransomware before attackers can exploit it to exfiltrate files 

  • Train employees about the risk of phishing campaigns impersonating partners or other third party organizations 

Spoofed Brazilian Ministry of Health Emails Eeliver Astaroth 

Attack summary: Astaroth, an information stealer, has been used in attacks against Brazilian targets for approximately the past year. In this campaign, attackers impersonate the Brazilian Ministry of Health and encourage targets to download a PDF with information on the distribution of ventilators. The email actually points to a zip file hosted by Google, which are used to initiate the infection process. Once deployed, Astaroth employs an unusually thorough set of obfuscation and anti-analysis strategies before collecting information from the target system and transmitting it back to C2 servers.  


  • Phishing link: hxxp://wer371ioy8[.]winningeleven3[.]re/CSVS00A1V53I0QH9KUH87UNC03A1S/Arquivo.2809.PDF 


  • Update web, email, and network security with Astaroth indicators of compromise 

  • Implement detection and response solutions to identify systems compromised by increasingly sophisticated commodity malware 


Phishing Campaigns Updated to Mimic New Microsoft Azure and O365 Login Pages 

Attack summary: Since the COVID-19 pandemic began, remote work services such as Microsoft Office 365 have experienced an elevated level of attacks. Recent design updates to the authentic Office 365 and Azure login pages undermined phishing campaigns whose fake login pages no longer resembled the authentic ones. But Microsoft now reports that they have detected phishing campaigns whose credential-stealing pages have been updated to resemble the current authentic login sites. 


  • Keep employees up to date with the latest developments in major phishing campaigns 

  • Use mail and network security to prevent employees from receiving phishing emails or connecting to fake login pages 

  • Monitor your cloud applications such as O365 for indicators of business email compromise 

  • Use account takeover awareness tools to identify compromised employee accounts 

3. COVID-19 Threat Landscape Assessments 

CISA-FBI Joint Statement Warns of Chinese Attacks on COVID-19 Research 

Attack summary: The FBI and Cybersecurity and Infrastructure Security Agency issued a joint statement warning US organizations that they may be targeted by Chinese-affiliated threat actors. These actors have been observed attempting to identify and obtain intellectual property and public health data. Organizations were particularly cautioned to watch for attacks following any press drawing attention to their COVID-19 work.  


  • Implement vulnerability management solutions to identify, prioritize, and patch key vulnerabilities and misconfigurations 
  • Utilize detection and response solutions to alert on compromise by persistent attackers 


Research Reveals COVID-19 Cloud Malware 

Attack summary: Researchers analyzed public cloud environments for connections to IP addresses discovered in analysis of COVID-19 related malware samples. Research identified 27 unique cloud environments which made over 450,000 connections to malware IoCs 


IP Addresses:  

  • 5.79.72[.]163  

  • 31.170.167[.]123  

  • 45.81.226[.]17  

  • 51.77.161[.]45  

  • 74.208.236[.]42  

  • 91.234.99[.]234  

  • 103.140.250[.]215  


  • kplico[.]com  

  • teknik[.]io  

  • tempinfo[.]96[.]it  

  • unlimitedimportandexport[.]com 


  • Update web access firewalls and other cloud security tools to block connections with malicious domains 

  • Implement cloud monitoring solutions to detect cloud services or deployments compromised by malware 

Previous Article
Lessons Learned From COVID-Related Cyberattacks
Lessons Learned From COVID-Related Cyberattacks

Next Article
The Top 5 Cyberattacks of April 2020
The Top 5 Cyberattacks of April 2020

The top cyberattacks of April 2020 featured Zoom meeting issues, leaked credentials from the WHO, and more....


Get cybersecurity updates delivered to your inbox.

First Name
Last Name
Yes, I’d like to receive marketing emails from Arctic Wolf about solutions of interest to me.
I agree to the Website Terms of Use and Arctic Wolf Privacy Policy.
Thanks for subscribing!
Error - something went wrong!