Pierluigi Paganini March 30, 2020

The Zeus Sphinx malware is back, operators are now spreading it exploiting the interest in the Coronavirus outbreak.

The Zeus Sphinx malware is back, it was observed in a new wave of attacks attempting to exploit the interest in the Coronavirus outbreak.

Experts from IBM X-Force uncovered a hacking campaign employing the Zeus Sphinx malware, as known as Zloader or Terdot, that focus on government relief payments. 

The Zeus Sphinx malware was first observed on August 2015, a few days after a new variant of the popular Zeus banking trojan was offered for sale on hacker forums,

Now the Zeus Sphinx malware is back, operators are spreading it in a spam campaign aimed at stealing victims’ financial information.

Spam messages sent to the victims claim to provide information related to the Coronavirus outbreak and government relief payments

“Current malspam campaigns feature booby-trapped document files named “COVID 19 relief” and subject lines relying on the same theme. Sphinx’s targets have not changed from its past configuration files as it continues to focus on banks in the US, Canada, and Australia.” reads the analysis published by IBM Z-Force.

The Zeus Sphinx variant used in the recent Coronavirus-themed campaign is only slightly different than the original. 

Spam emails include a form, in an MS Word format, that must be filled out to receive funds to help people that now are at home due to the COVID 19 pandemic. The document is password-protected, likely to prevent analysis before it is received by the potential victim, the password is included in the content of the email.

Once opened, the document displays a message to instruct victims in enabling macros to view the content, unfortunately this action start the infection process.

“Once the end user accepts and enables these malicious macros, the script will start its deployment, often using legitimate, hijacked Windows processes that will fetch a malware downloader.” continues the post.”Next, the downloader will communicate with a remote command-and-control (C&C) server and fetch the relevant malware — in this case, the new Sphinx variant.”

Zeus Sphinx gains persistence by dynamically writing itself to numerous files and folders, it also created registry keys for the same purpose.

Sphinx signs the malicious code using a digital certificate, a common evasion technique, when injected into the browser processes.

Experts observed that web injections are in some cases still based on the Zeus v2 codebase. Zeus Sphinx will patch processes associated to Explorer and common browsers, including Chrome and Mozilla Firefox. In this way, the malicious code is triggered when a user visits a target page, such as an online banking platform.

“As a modular banking Trojan that’s based on the dated Zeus v2 code, Sphinx’s core capability is to collect online account credentials from banks and a wide range of other websites.” continues the post. “It calls on its C&C server to fetch relevant web injections when infected users land on a targeted page and uses them to modify the pages users are browsing to include social engineering content and trick them into divulging personal information and authentication codes.”

Experts pointed out that if a browser pushes an update, the web injection function will likely not “survive.”

The report published by IBM X-Force also provided technical details about the threat, including IoCs.

Unfortunately, the number of COVID19-themed attacks continue to increase, if you are interested to receive info about the attacks observed in the last week give a look at:

Pierluigi Paganini

(SecurityAffairs – Zeus Sphinx Trojan, Coronavirus)

[adrotate banner=”5″]

[adrotate banner=”13″]