After being dormant for several years Zeus Sphinx banking malware operators are back with a new spam campaign aimed at stealing victims’ financial information.
“While some Sphinx activity we detected trickled in starting December 2019, campaigns have only increased in volume in March 2020, possibly due to a testing period by Sphinx’s operators. It appears that, taking advantage of the current climate, Sphinx’s operators are setting their sights on those waiting for government relief payments,” according to a new report from IBM X-Force threat intelligence team.
The Zeus Sphinx malware (aka Zloader, Terdot) was first observed in August 2015, targeting major financial entities in the U.K, Australia, Brazil and North America.
In the new campaign the attackers leveraged a slightly modified version of Zeus Sphinx that has been distributed via coronavirus-themed malicious .doc or .docx files. In the email users were prompted to fill out an attached form to receive monetary compensation for having to stay at home to help fight increasing infection rates.
Once opened, the document displays a message to instruct victims in enabling macros to view the content.
“Once the end user accepts and enables these malicious macros, the script will start its deployment, often using legitimate, hijacked Windows processes that will fetch a malware downloader. Next, the downloader will communicate with a remote command-and-control (C&C) server and fetch the relevant malware — in this case, the new Sphinx variant,” the research team explained.
Once on the machine, the malware achieves persistence by writing itself to numerous folders and files and adds some Registry keys in order to hide itself and manage its configuration files over time. Zeus Sphinx signs the malicious code using a digital certificate when injected into the browser processes.
To carry out web injections, the malware will patch processes associated to Internet Explorer and common browsers, including Google Chrome and Mozilla Firefox. In this way, the malicious code is triggered when a user visits a target page, such as an online banking platform.
“As a modular banking Trojan that’s based on the dated Zeus v2 code, Sphinx’s core capability is to collect online account credentials from banks and a wide range of other websites. It calls on its C&C server to fetch relevant web injections when infected users land on a targeted page and uses them to modify the pages users are browsing to include social engineering content and trick them into divulging personal information and authentication codes,” X-Force researchers added.