COVID-19 Weekly Threat Roundup: May 1

May 1, 2020

Welcome back to the Arctic Wolf COVID-19 Weekly Threat Roundup.   

This continuing series is part of how we’re helping our customers and the broader cybersecurity community during this challenging period.   

This news is designed to help you and your team defend your organizations from evolving cybersecurity threats during the COVID-19 pandemic. Every Friday we'll summarize key cybersecurity news for the week, organized by major themes.

In each item we’ll include a new cyberattack, with attack vectors, IOCs, and security recommendations (as applicable), combining credible open-source threat intelligence with insights from the Arctic Wolf team. 

You can read previous roundups on our COVID-19 blog feed, highlighted with the orange threat roundup banner.  

1. COVID Phishing Spoofs Governments 

Attackers spoof US Federal Reserve to steal bank accounts 

Attack summary: Throughout the pandemic, phishing campaigns have imitated government relief programs. In this attack, malicious actors impersonate the Federal Reserve, sharing information about the Paycheck Protection Program. The links led to an authentic-seeming webpage, which invited targets to select their bank and log in. Attackers then collected banking information 


  • Remind employees of the risks of phishing impersonating government agencies, and to never enter service credentials on a third-party site 

  • Ensure that mail and network security is up to date with the most recent threat intelligence 


Supposed FMLA update delivers TrickBot trojan 

Attack summary: In this campaign, attackers crafted a message offering updates on the Family and Medical Leave Act, purporting to come from the US Department of Labor. The message encouraged targets to download a document. The document then uses malicious macros to download a malware package, likely the TrickBot trojan, which allows attackers to execute bank account takeovers, fraud attacks, and botnet activity.  



  • hxxps://www.omegasystemsuae[.]com/9hfudnsfl.exe 

  • 198[.]72[.]111[.]141 


File Name 

File Category 

File Hash 




Family and Medical Leave of Act 22.04.doc 

Carrier File 












  • Train employees to identify suspicious documents, and never to authorize macros. 

  • Update antivirus, endpoint, and mail security to identify phishing and malware IOCs. 

  • Use detection and response solutions to identify compromised systems. 

Fake Brazilian government grant viral quiz spreads malware 

Attack summary: This scam claims to be a Brazilian government grant program. Targets are asked to complete a questionnaire to qualify for the program. Regardless of inputs, targets are told they do qualify, but only if they share the questionnaire with their Whatsapp contacts. Finally, targets who do distribute the scam are pumped for additional private information or encouraged to download malware. The viral social media delivery mechanism  




  • Train employees about the risk of viral scams from trusted contacts. Because the attack vector for this scam is a fooled personal contact, it may be more difficult to identify than a mass-distributed spam message or email. 

  • Establish policies separating personal employee devices from work devices, and/or ensure that employee devices AV/endpoint protection are up to date. 


Fake USAID Donations scam 

Attack summary: In this phishing campaign, attackers impersonate the United States Agency for International Development (USAID) and solicit cryptocurrency donations, supposedly to support COVID-19 relief.  


  • usaid-covid19[.]us 
  • 18ss3A1AXkJja6oVF59ATovAV5AoeLei4s 


  • Remind employees about the risk of donation scams, and teach them about best practices to ensure that donations are directed to legitimate organizations. 

  • If possible, offer recommended donation institutions or an in-office donation program. 

2. Additional COVID Phishing Campaigns 

Fake layoffs steal Zoom credentials 

Attack summary: In this attack, malicious actors impersonate Zoom, warning targets about a meeting beginning in just a few minutes. The text of the email is crafted to suggest that the targets are at risk of being laid off or having their contract terminated. This threat is designed to encourage targets to click the malicious link and input their Zoom credentials, compromising their accounts.  


  • zoom-emergency[.] 


  • Train employees about the risk of phishing campaigns impersonating Zoom or other video teleconferencing tools. 

  • Update mail and network security with the latest threat intel and IOCs. 

  • Use detection and response or account takeover awareness solutions to identify compromised employee accounts. 

Fake utility update compromises O365 

Attack summary: In response to the COVID-19 pandemic, many utility providers (such as water, gas, electric, etc.) have updated their policies to suspend disconnection or provide billing relief. In this campaign, attackers impersonate a local electric utility, offering a document with information about policy changes. The document leads to a page that attempts to steal Office365 credentials.  




  • Remind employees about the risk of phishing campaigns impersonating utilities or other services. 

  • Train employees to only provide login credentials on authorized webpages, and how to identify. scam login pages. 

  • Update mail and network security with new threat intelligence. 

  • Employ detection and response and account takeover solutions to identify compromised accounts.  


Fake delivery phishing campaigns 

Attack summary: attackers are exploiting the growth of online shopping and delivery services with a range of attacks organized around delivery themes. The attacks may claim to inform targets about a missed package, failed delivery due to COVID shipping restrictions, or offer tracking information. They can install a range of malware, including Recmos, Noon, the Bsysmem Trojan, or Androm, or may simply attempt to collect sensitive information.  


  • Train employees about the risk of delivery phishing campaigns, and how to spot spoofed emails. 

  • Ensure that mail, endpoint and network security are up to date. 

  • Employ detection and response tools to identify attacks that bypass the perimeter. 


3. Education and Remote Learning Under Attack 

Vulnerabilities discovered in leading  Wordpress e-learning plugins (Patched) 

Attack summary: COVID-19 has led to the closure of many in-person educational institutions and a dramatic growth in the use of e-learning platforms. Security researchers investigated whether three major Wordpress e-learning plugins were secure (LearnPress, LearnDash, and LifterLMS), and found serious vulnerabilities, including to SQL injection, privilege escalation, and arbitrary file write. After notifying the developers, each plugin released updates and patches.  


  • Promptly update all affected plugins to current, secure versions 

  • Ensure that you have the vulnerability management tools and patching cadence in place to recognize and respond to serious vulnerabilities when they are released 

Public schools targeted by ransomware 

Attack summary: Typically, public school ransomware attacks occur over the summer, with the intent of forcing institutions to pay before classes start. Security researchers report that the pandemic, with associated school closures and growth of e-learning has disrupted this ordinary seasonality. Public sector organizations were a prominent ransomware target in Q1, and almost half of targeted organizations were schools. 


  • Ransomware typically exploits phishing, software vulnerabilities, or misconfigurations.  

  • To prevent phishing, train your employees about phishing risks and maintain up to date mail security. 

  • To prevent exploited software vulnerabilities or misconfigurations, implement a vulnerability management and baselining solution. 

  • Consider detection and response solutions to identify ransomware attacks that circumvent defenses. 


Malware campaign targets universities 

Attack summary: This campaign seeks to deploy Hupigon, a versatile Remote Access Trojan. The messages arrive as adult dating lures, inviting targets to click the link beneath one of two pictures. The link downloads an executable, which installs Hupigon. This campaign had a substantial focus on education, colleges, and universities.   



  • 8e2f624f7bf79f35951fa8a434537caa7d82dfbdf0bcd97461f879c43eece7fa 

  • 373c7986a56ee7b428757ac7862676a6b5bbaaa1aee4122747fce5680ae024ff  


  • 142.54.162[.]66  

  • eth[.]ceo  


  • ooeth[.]com 

Delivery Domain 

  • down.gogominer[.]com 


  • Train employees and users not to download suspicious files, especially executables. 

  • Update mail and network security with the latest threat intelligence. 


4. Remote Work Attacks 

Microsoft Teams image vulnerability (patched) 

Attack summary: Security researchers developed a method for automated compromise of Microsoft Teams accounts, where sending an image would allow for takeover of the target account. The technique could have been used to develop automated account takeover worms. Researchers shared the method with Microsoft, which has resolved the vulnerability. 


  • Because the vulnerability has been resolved, no action is required to protect employees from this specific threat. 
  • However, it highlights the value of account takeover detection solutions to identify employee accounts compromised by new vulnerabilities, as well as detection and response tools to identify compromises exploiting compromised accounts. 


Dramatic growth in volume of brute-force attacks against RDP 

Attack summary: Remote Desktop Protocol, or RDP, is a popular technique for enabling users to connect to a distant computer—for example, a remote worker accessing an in-office workstation. Misconfigured RDP may leave systems vulnerable to compromise by attackers. Security researchers have identified a dramatic growth in brute-force attacks against RDP during the COVID-19 pandemic. When RDP is compromised, it may be used to exfiltrate data, or deploy ransomware or other malware. 


  • Secure RDP through use of strong passwords, VPN, multi-factor authentication; disable RDP and close port 3389 when not in use. 

  • Use vulnerability management tools to identify outstanding risks such as misconfigured or exposed RDP. 


5. Misc 

Pirated movies contain coinminer payloads 

Attack summary: The pandemic has led to an increased consumption of movies at home. Attackers are exploiting this with renewed focus on malicious payloads in pirated films. Microsoft security researchers warned of an active attack campaign that inserts malicious VBScript into ZIP files posing as movie downloads. The VBScript ultimately injects coinmining code into a notepad.exe process.  


  • Remind employees of the risks associated with insecure downloads, especially downloads that contain copyrighted or otherwise restricted materials 

  • Make sure endpoint and detection and response solutions are equipped to identify malicious processes operating on employee systems, such as coinminers 




Previous Article
COVID 19-Weekly Threat Roundup: May 8
COVID 19-Weekly Threat Roundup: May 8

Next Article
COVID-Related Cybersecurity Attacks To Be Aware Of
COVID-Related Cybersecurity Attacks To Be Aware Of

We've rounded up some recent coronavirus-related schemes of which you should be aware of, along with a few ...