COVID 19-Weekly Threat Roundup: May 8

May 8, 2020

Welcome back to the latest edition of the Arctic Wolf COVID-19 Weekly Threat Roundup.    

 The goal of this series is to help our customers and the broader cybersecurity community during this challenging period.    

This news is designed to help you and your team continue to defend your organizations from evolving cybersecurity threats during the COVID-19 pandemic. Every Friday w'll summarize key cybersecurity news for the week, organized by major themes.     

In each item we’ll include a new cyberattack, along with attack vectors, IOCs, and security recommendations (when applicable), combining credible open-source threat intelligence with insights from the Arctic Wolf team.  

Find previous roundups on our COVID-19 blog feed, highlighted with the orange threat roundup banner.   

1. COVID Phishing Attacks Update 

Fake co-worker virus alert 

Attack summary: In this jarring campaign, attackers impersonate a business and lure the targets with a claim that a coworker has fallen sick with, or in some cases died from, COVID-19. The targets are then enticed to click a link to receive additional health guidance. The malicious link harvests Microsoft credentials.  



  • hxxp://tokai-lm[.]jp/style/89887cc/5789n[.]php?98709087-87634423 
  • IP: 150[.]60[.]156[.]116 


  • Maintain clear and unambiguous methods of communication with employees, especially regarding health and safety updates 

  • Include IOCs in mail and network security  

  • Employ detection and response solutions to identify successful phishing attacks 

  • Consider account takeover solutions to be alerted of compromised employee credentials  


2. Microsoft Teams Impersonation Phishing 

Attack summary: Microsoft Teams usage has grown dramatically during the COVID-19 lockdowns. This has led to a growth in campaigns targeting Microsoft Teams credentials.

In one campaign, targets are led to a document hosted on a static site maintained by a legitimate email marketer; an image within the document encourages the recipient to log in to Microsoft Teams through a phishing site. In another, the target is led through a redirect chain beginning on YouTube and arriving at a credential phishing site. Compromise of Microsoft Team credentials may entail compromise of Office 365 accounts more generally.  


  • Provide remote work security training for employees, focusing on the risk of attackers impersonating collaboration tools 
  • Ensure that remote work tools are securely configured, including the use of multi-factor authentication 
  • Use cloud monitoring solutions to identify attacks and suspicious behavior on SaaS platforms 
  • Deploy account takeover risk tools to become aware of stolen employee credentials  

Cisco Webex Credential Harvesting 

Attack summary: In this phishing campaign, attackers impersonate Cisco Webex, using formatting and graphics used in real emails from this service. The malicious email claims that the target has been locked out of their account and must re-enter credentials. The SendGrid link provided redirects to a website controlled by the attackers, which is presumably used for credential harvesting.  


  • hXXps://app-login-webex[.]com/ 


  • Ensure that employees are aware of the risk of phishing attacks impersonating legitimate business tools, especially remote work and video teleconferencing tools 

  • Update mail security tools with current threat intelligence 

  • Use detection and response solutions to identify users connecting to known-bad domains 

  • Maintain account takeover risk awareness to identify compromised employee credentials 


Agent Tesla phishing campaigns 

Attack summary: Agent Tesla is a known Remote Access Trojan (RAT) malware variant. In three recent campaigns, attackers exploited COVID-19 themes to distribute this malware package. The emails promise information regarding health supplies or individuals affected by COVID-19 to induce targets to download a malicious file. Malicious files include RTF files that exploit known vulnerabilities in order to execute remote download of Agent Tesla, as well as a Zip file that simply includes the malware payload.  


  • 527142E25A8229D1DC910AF23CDB5256 (DOC) 

  • C1B04A9474CA64466AD4327546C20EFC (DOC) 

  • F1E95D1E23A582E4EF8B19E55E21D40E (PE) 

  • 6D5ED323EF55F7BD34BC193DDC8AFE74 (PE) 

  • C3166A86DBF5B6A95FC723EF639DAD45 (PE) 

  • 5[.]189[.]132[.]254 

  • 107[.]189[.]7[.]179 


  • Continue mail security training for employees, emphasizing the ongoing risk of coronavirus themes in phishing campaigns 

  • Update mail and endpoint security with the latest IOCs and threat intelligence 

  • Consider detection and response solutions to identify compromised systems 


German TrickBot campaign 

Attack summary: TrickBot is a known modular banking Trojan that has been previously deployed in COVID-19-themed campaigns. (See, e.g., last week’s threat roundup.) In this campaign, attackers impersonate the German Health Ministry and send an email purporting to contain updates on family and sick leave policy. The attachment is a maldoc which calls a TrickBot executable directly from a malicious domain.  


  • hXXp://shawigroup[.]com/dmndfkle[.]exe 


  • Train employees about the risks of phishing campaigns impersonating government agencies, and of maldocs 

  • Update endpoint and mail security with the latest IOCs 

  • Employ detection and response solutions to identify connections to malicious domains 

Remcos campaign targets CPAs 

Attack summaryRemcos is a known Remote Access Trojan (RAT) that has been previously deployed in COVID-19-themed campaigns. (See, e.g., the April 24 threat roundup.) In this new campaign, attackers targeted the American Institute of CPAs, purporting to offer “COVID-19 related updates." The attachment is a zip file, containing an ISO file, containing a malicious SCR file, which installed Remcos. 


  • Use the most recent threat intelligence to ensure that endpoint and mail security can detect and block known attacks 
  • Consider detection and response solutions to identify compromised systems and connections to C2 servers  


2. Attacks on Healthcare, Research, Transportation 

Agent Tesla targets medical suppliers 

Attack summary: In this spearphishing campaign, attackers impersonate prospective buyers of medical supplies. The email offers to make a large purchase of medical supplies, and encourages targets to open a document with contract terms for this purchase. The document is malicious, and exploits an Office Equation Editor vulnerability to download Agent Tesla.  


  1. File Name: Meducal Inquiry – L.A.B. Equipment.doc  

[SHA256 - 4dd71997e35a38826d34c780f98f7707da4aeb83622f86b4b644a3651fe4ad35]   

  1. File Name: pov.exe ​

[SHA256 - 9f087cc15d7f6f69f46563b5e58ca6141d4687beeec5230f6cb11dc3ae52f1cc] 

  1. C2: miketony[-]tw[.]com 

Malware Download: hxxp://pussyclub88[.]com/vendor/composer/files/pov.exe 


  • Warn employees about the risk of spearphishing campaigns impersonating prospective buyers or other business contacts, especially in organizations with new, COVID-19-related business activity 

  • Maintain a vulnerability management cadence, using risk management solutions to prioritize vulnerabilities undergoing active exploitation 

  • Update endpoint solutions to block known malware, and use detection and response solutions to identify connections to malicious domains 


Fresenius, Others, Hit by Snake Ransomware 

Attack summary: Snake is a new ransomware variant detected in January. It deploys an unusually sophisticated level of process obfuscation, and recent campaigns claim that it also extracts files for exposure blackmail. This week, a major Snake campaign hit multiple large enterprises, including Fresenius, the largest private hospital operator in Europe. It is not yet public what attack vectors are exploited to install Snake on target systems.  


  • Hash: e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60 


  • Ransomware is typically delivered via phishing email, RDP misconfiguration, or known software vulnerability 
  • Update and maintain mail security and employee training to mitigate phishing risk 
  • Use a risk management solution to identify, prioritize and address vulnerabilities and misconfigurations 
  • Add detection and response to alert on ransomware deployment in real time, to prevent attackers from executing the attack 


Shipping service impacted by Nefilim ransomware 

Attack summary: Toll Group is a leading logistics provider in Asia Pacific. This week they suffered their second major ransomware attack of the year. The most recent attack used the Nefilim ransomware strain. The attack forced Toll to shut down a consumer-facing shipping portal, disrupting service for customers, who may have particularly acute shipping needs in coronavirus lockdown.

While Toll has not shared details on how Nefilim was deployed on their systems, a third-party researcher noted that Toll was using a Citrix Netscaler server with the CVE-2019-19781 vulnerability during both attacks.  


File: %User Temp%\scam.jpg 


  • Maintain a vulnerability management cadence, including vulnerability identification, prioritization, and patching 
  • Use detection and response solutions to identify ransomware attacks before they can spread widely or encrypt systems 

Nation-state actors attack COVID-19-relevant organizations 

Attack summary: the US Cybersecurity and Infrastructure Security Agency (CISA) and the UK National Cyber Security Centre (NCSC) released alerts of nation state advanced persistent threat (APT) groups targeting COVID-19 response organizations, including pharmaceutical companies, medical research organizations, and universities. Attackers have exploited vulnerabilities in Citrix, VPNs such as Pulse Secure, Fortinet, and Palo Alto, and password spraying attacks.   



  • Install high priority patches, including for Citrix Vulnerability CVE-2019-19781 

  • Use vulnerability management solutions to set up a regular vulnerability patching cadence 

  • Employ MFA to harden against password spraying attacks 

  • Use detection and response solutions to identify advanced persistent attackers who have bypassed security tools  


3. Misc. 

COVID-19 Tracking Apps Vulnerable to Attack 

Attack summary: Multiple governments are developing or have deployed coronavirus mobile apps for public health purposes, including both information sharing, resource distribution, and contact tracing. The hasty development of these apps, their expected wide deployment, and the sensitive information collected (especially for contact tracing) has raised concerns about the risk of data leaks and exposures. A researcher has demonstrated how certain features present in the Indian app, Aarogya Setu, would allow attackers to pinpoint the identity of users with coronavirus.   


  • Stay informed about developments with government coronavirus tracking apps and review security researcher evaluations in order to provide guidance to employees 
  • Develop best practices for the use of personal mobile devices for work activities, to prevent exposure from unverified apps  


COVID-19 Cyber Threat Coalition Releases Blocklist 

Attack summary: The COVID-19 Cyber Threat Coalition is a volunteer organization created to disseminate information about new, COVID-19-related threats. It has recently released blocklists of malicious URLs, domains, and hostnames known to be associated with COVID-19 attacks, including scams, phishing and malware campaigns, and more. 


  • Review the blocklists and use them to update mail, network, and endpoint security tools 

  • Consider security solutions that are managed and updated by solution providers to streamline security processes 

Previous Article
The Top 5 Cyberattacks of April 2020
The Top 5 Cyberattacks of April 2020

The top cyberattacks of April 2020 featured Zoom meeting issues, leaked credentials from the WHO, and more....

Next Article
The Mind of a Hacker: How Hacking Has Evolved Over Time
The Mind of a Hacker: How Hacking Has Evolved Over Time

Technology is always evolving to become faster, smarter, and more sophisticated. So are hackers. Learn abou...


Get cybersecurity updates delivered to your inbox.

First Name
Last Name
Yes, I’d like to receive marketing emails from Arctic Wolf about solutions of interest to me.
I agree to the Website Terms of Use and Arctic Wolf Privacy Policy.
Thanks for subscribing!
Error - something went wrong!