Show vulnerabilities with patch / with exploit
31 March 2020

Zeus Sphinx banking malware resurfaced after years of silence


Zeus Sphinx banking malware resurfaced after years of silence

After being dormant for several years Zeus Sphinx banking malware operators are back with a new spam campaign aimed at stealing victims’ financial information.

“While some Sphinx activity we detected trickled in starting December 2019, campaigns have only increased in volume in March 2020, possibly due to a testing period by Sphinx’s operators. It appears that, taking advantage of the current climate, Sphinx’s operators are setting their sights on those waiting for government relief payments,” according to a new report from IBM X-Force threat intelligence team.

The Zeus Sphinx malware (aka Zloader, Terdot) was first observed in August 2015, targeting major financial entities in the U.K, Australia, Brazil and North America.

In the new campaign the attackers leveraged a slightly modified version of Zeus Sphinx that has been distributed via coronavirus-themed malicious .doc or .docx files. In the email users were prompted to fill out an attached form to receive monetary compensation for having to stay at home to help fight increasing infection rates.

Once opened, the document displays a message to instruct victims in enabling macros to view the content.

“Once the end user accepts and enables these malicious macros, the script will start its deployment, often using legitimate, hijacked Windows processes that will fetch a malware downloader. Next, the downloader will communicate with a remote command-and-control (C&C) server and fetch the relevant malware — in this case, the new Sphinx variant,” the research team explained.

Once on the machine, the malware achieves persistence by writing itself to numerous folders and files and adds some Registry keys in order to hide itself and manage its configuration files over time. Zeus Sphinx signs the malicious code using a digital certificate when injected into the browser processes.

To carry out web injections, the malware will patch processes associated to Internet Explorer and common browsers, including Google Chrome and Mozilla Firefox. In this way, the malicious code is triggered when a user visits a target page, such as an online banking platform.

“As a modular banking Trojan that’s based on the dated Zeus v2 code, Sphinx’s core capability is to collect online account credentials from banks and a wide range of other websites. It calls on its C&C server to fetch relevant web injections when infected users land on a targeted page and uses them to modify the pages users are browsing to include social engineering content and trick them into divulging personal information and authentication codes,” X-Force researchers added.

Back to the list

Latest Posts

Vulnerability summary for the week: May 29, 2020

Vulnerability summary for the week: May 29, 2020

Weekly vulnerability digest.
29 May 2020
Japan defense data may have leaked after cyber attack on Japanese telecommunications giant NTT

Japan defense data may have leaked after cyber attack on Japanese telecommunications giant NTT

NTT Communications said hackers gained access to its internal network and stole information on 621 customers.
29 May 2020
Sandworm hacking group exploiting Exim flaw since at least 2019

Sandworm hacking group exploiting Exim flaw since at least 2019

The NSA is urging system administrators to update Exim by installing version 4.93 or newer to mitigate the vulnerability.
29 May 2020