• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Zero Day Quest returns: Microsoft ups the stakes with $5M bug bounty

 | 

Cisco disclosed a CRM data breach via vishing attack

 | 

Exposed Without a Breach: The Cost of Data Blindness

 | 

SonicWall investigates possible zero-day amid Akira ransomware surge

 | 

Chaining NVIDIA's Triton Server flaws exposes AI systems to remote takeover

 | 

Hacking group D4rk4rmy claimed the hack of Monte-Carlo Société des Bains de Mer

 | 

Northwest Radiologists data breach hits 350,000 in Washington

 | 

PlayPraetor Android RAT expands rapidly across Spanish and French-speaking regions

 | 

Lovense flaws expose emails and allow account takeover

 | 

Nation-state group CL-STA-0969 targeted Southeast Asian telecoms in 2024

 | 

Akira Ransomware targets SonicWall VPNs in likely zero-day attacks

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 56

 | 

Security Affairs newsletter Round 535 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

New Linux backdoor Plague bypasses auth via malicious PAM module

 | 

China Presses Nvidia Over Alleged Backdoors in H20 Chips Amid Tech Tensions

 | 

Malicious AI-generated npm package hits Solana users

 | 

Meta Offers $1M bounty at Pwn2Own Ireland 2025 for WhatsApp exploits

 | 

ToolShell under siege: Check Point analyzes Chinese APT Storm-2603

 | 

CISA released Thorium platform to support malware and forensic analysis

 | 

Russia-linked APT Secret Blizzard targets foreign embassies in Moscow with ApolloShadow malware

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Malware
  • Zeus Sphinx continues to be used in Coronavirus-themed attacks

Zeus Sphinx continues to be used in Coronavirus-themed attacks

Pierluigi Paganini May 12, 2020

The Zeus Sphinx banking Trojan continues to evolve while receiving new updates it is employed in ongoing coronavirus-themed scams. 

IBM security researcher continues to monitor the evolution of the infamous Zeus Sphinx banking Trojan (aka Zloader or Terdot) that receives frequent updates and that was involved in active coronavirus scams. 

The Zeus Sphinx banking Trojan is based on the code of the Zeus v.2 Trojan that was leaked online.

The Zeus Sphinx malware was first observed on August 2015, a few days after a new variant of the popular Zeus banking trojan was offered for sale on hacker forums,

At the end of March, experts from IBM X-Force uncovered a hacking campaign employing the Zeus Sphinx malware that focused on government relief payment.

Operators were spreading it in a spam campaign aimed at stealing victims’ financial information, the spam messages sent to the victims claim to provide information related to the Coronavirus outbreak and government relief payments

Researchers revealed that the malware is receiving constant upgrades to improve its capabilities. 

Zeus Sphinx is distributed through malspam campaigns that use weaponized office documents. The malware achieves persistence by adding a Run key to the Windows Registry, it can come in two different formats, an executable file or a dynamic link library (DLL).

The Trojan has been designed to grab banking details or account credentials for online services by leveraging browser injection techniques.

Zeus Sphinx injects malicious code into browser processes to redirect users to malicious websites.

The malware creates a process, named msiexec.exe, to avoid detection. The name msiexec.exe is usually associated with a legitimate Windows Installer process that is responsible for installation.

Compared with the campaigns observed in early 2020, the malware samples involved in the recent attacks included a new set of RC4 keys, a smaller and different set of C2s, and a new variant ID.

“Sphinx uses a pseudo-random number generator (PRNG) named MT19937 (also known as the Mersenne Twister). Let’s look at how Zeus Sphinx implements this PRNG to create names for its resources.” reads the analysis published by IBM.

“While less common in the wild than Trojans like TrickBot, for example, Sphinx’s underlying Zeus DNA has been an undying enabler of online banking fraud.” “Financial institutions must reckon with its return and spread to new victims amid the current pandemic.”

Zeus Sphinx

Other malware were involved in Coronavirus-themed attacks, early May IBM X-Force researchers spotted a new COVID-19-themed campaign spreading the infamous TrickBot trojan through fake messages.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Zeus Sphinx, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

banking coronavirus information security news it security it security news malware Pierluigi Paganini Security News Trojan Zeus Sphinx

you might also like

Pierluigi Paganini August 05, 2025
Zero Day Quest returns: Microsoft ups the stakes with $5M bug bounty
Read more
Pierluigi Paganini August 05, 2025
Cisco disclosed a CRM data breach via vishing attack
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Zero Day Quest returns: Microsoft ups the stakes with $5M bug bounty

    Hacking / August 05, 2025

    Cisco disclosed a CRM data breach via vishing attack

    Data Breach / August 05, 2025

    Exposed Without a Breach: The Cost of Data Blindness

    Security / August 05, 2025

    SonicWall investigates possible zero-day amid Akira ransomware surge

    Security / August 05, 2025

    Chaining NVIDIA's Triton Server flaws exposes AI systems to remote takeover

    Security / August 05, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT