COVID Threat Roundup: October 2020

October 30, 2020

The COVID Threat Roundup series provides information designed to help you and your team further defend your organizations from evolving cybersecurity threats during the COVID-19 pandemic. Each month we summarize key cybersecurity news, organized by major themes.

Each entry includes a new cyberattack, with attack vectors, IOCs, and security recommendations (as applicable), combining credible open-source threat intelligence with insights from the Arctic Wolf team.

You can read previous roundups on our COVID-19 blog feed.

1. Ransomware Targets Hospitals as COVID Cases Grow 

FBI Warns of Wave of Ryuk Ransomware Attacks Against Hospitals, Healthcare Providers 

Attack summary: the FBI, DHS, and other credible cybersecurity sources have warned healthcare providers of an active threat by a Russian cybercriminal group to deploy Ryuk ransomware (and potentially other strains) at over 400 healthcare facilities in the U.S.  


  • The Cybersecurity and Infrastructure Security Agency (CISA) has provided a detailed list of IOCs here:   


  • The Ryuk gang typically customizes its malware for each attack. Invest in security operations solutions, such as detection and response, that can mitigate the threat of advanced attackers.
  • Patch operating systems, software, and firmware, and implement risk management solutions to identify and prioritize outstanding vulnerabilities.  
  • Implement ransomware resiliency solutions, such as backup and recovery. 


2. COVID Vaccine-Themed Attacks Emerge 

APT-31 Distributes Malware Under Cover of COVID Vaccine Files 

Attack summary: In this attack, malicious actors distributed emails offering access to documents with information about COVID vaccines, national distribution strategies for such vaccines, and other related materials. However, the files downloaded malware from Github, which ultimately installed a python package that communicated with the attackers using the Dropbox API. This exploitation of multiple trusted services allowed attackers to bypass most security tools.  


MD5 hashes of MSI files  

  • 077ebc3535b38742307ef1c9e3f95222 
  • f3896d4a29b4a2ea14ea8a7e2e500ee5 
  • b4112b0700be2343422c759f5dc7bb8b 
  • daa7045a5c607fc2ae6fe0804d493cea 
  • 3347a1409f0236904beaceba2c8c7d56 

MD5 hashes of Python-compiled binaries  

  • bd26122b29ece6ce5abafb593ff7b096 
  • fc4995e931f0ff717fe6a6189f07af64 

Dropped Python-compiled binary file names 

  • OneDrive.exe 
  • siHostx64.exe  

Dropped decoy file names 

  • mcafee_trial_setup_433.0207.3919_key.exe 
  • PAPER-COVID-19-Vaccine-Strategy.pdf 
  • covid_19_vaccines_final.pdf 
  • FINAL__-COVID-Vaccine-Letter.pdf 
  • 200709-The-Publics-Role-in-COVID-19-Vaccination.pdf 


  • Update mail and endpoint security with relevant IOCs 
  • Use detection and response solutions to identify compromised systems and their C2 connections to attackers 
  • Train users about the risk of malicious attachments, including those that appear to be legitimate files when downloaded and opened

3. COVID Phishing Updates 

Fake COVID-19 survey targets UBC with ransomware 

Attack summary: In this campaign, attackers distributed emails claiming to be their targets’ managers, sharing a mandatory survey about the University of British Columbia’s COVID response. The supposed survey was shared via Dropbox. It was in fact a maldoc, whose macros would download and install the Vaggen ransomware.   


File names

  • summerofficetemplate.dotm 


  • 634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4 


  • notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe 
  • notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe 
  • canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html 
  • canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html 


  • Train employees about the risk of maldocs, and the correct pathways by which legitimate internal resources are distributed 
  • Implement mail security policies to distinguish between legitimate internal communications and spoofs 
  • Deploy detection and response to identify ransomware and other malware before it can encrypt infected system

COVID Phishing Campaign Scrapes Credentials  

Attack summary: This phishing campaign impersonates an email distributing internal policies regarding the COVID-19 pandemic. However, the link to the supposed doc instead directs to a false Dropbox landing page, which attempts to collect a series of email credentials from the target.  


  • Implement mail security tools that distinguish between legitimate internal and spoofed internal communications 
  • Detection and response solutions can identify when a user shares credentials with an illegitimate page 
  • Account takeover risk solutions can identify when compromised business credentials are available for sale online and may be used in credential stuffing attacks

Phishing Campaigns Exploited the Trump COVID Diagnosis 

Attack summary: COVID-19 originally emerged as a major phishing theme because information about the COVID pandemic was both novel and engaging. As the pandemic continues, COVID itself has receded somewhat as a theme, as targets have adapted to the new normal. However, Trump’s early October COVID diagnosis was a shocking new development in both the pandemic and in US political news, and it was exploited by malicious actors.

In this campaign, attackers distributed an email purporting to offer striking information about the president’s health in a password-protected attachment. The link led to a document and another link, which in turn pointed to password-protected malware.   


  • Train employees about the risk of malicious attachments, especially those delivered through several levels of obscuring redirect 
  • Update endpoint security with the latest IOCs 
  • Detection and response solutions can identify systems compromised by malicious software

Fake Canadian COVID Relief Program Steal Bank Credentials 

Attack summary: Another recurring theme of COVID phishing campaigns is the impersonation of government or other aid or relief funds. In this campaign, attackers targeted employees who expected a particular Canadian COVID relief benefit. The malicious email then led to a site impersonating one of twelve Interac banks, and attempted to collect personal information and banking credentials from targets.  


IP address

  • 131[.]247[.]244[.]194 

URL template

hxxps://lincolnrestaurant-dc[.]com/interca/{unique 32 character string}/bank/{bank name}/{html or php file}  


  • Train employees about the risk of malicious emails that impersonate expected communications from governments or other legitimate actors 
  • Use detection and response solutions to identify when credentials are shared with malicious or compromised sites 



Previous Article
CyberWins: Arctic Wolf Saves the Day in the Middle of the Night for Large Manufacturer
CyberWins: Arctic Wolf Saves the Day in the Middle of the Night for Large Manufacturer

In the latest CyberWins, a large manufacturing company was attacked at 3:00 a.m. Learn about Arctic Wolf's ...

Next Article
2020 SOC Survey: Ongoing Security Operations Challenges
2020 SOC Survey: Ongoing Security Operations Challenges

The upcoming 2020 SOC Survey aims to provide more insight into barriers organizations are still dealing wit...


Get cybersecurity updates delivered to your inbox.

First Name
Last Name
Yes, I’d like to receive marketing emails from Arctic Wolf about solutions of interest to me.
I agree to the Website Terms of Use and Arctic Wolf Privacy Policy.
Thanks for subscribing!
Error - something went wrong!