Zeus Sphinx malware resurrects to abuse COVID-19 fears

silversurfer

Level 83
Thread author
Verified
Helper
Top poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
7,280
On Monday, IBM X-Force said that Zeus Sphinx -- also known as Zloader or Terdot -- has been spotted in campaigns launched in March that focus on government relief payments.

Zeus Sphinx was first detected in the wild in August 2015. The malware emerged as a commercial modular banking Trojan with core code elements based on Zeus v2. The malware targeted financial institutions across the UK, Australia, Brazil, and the US; and now, Zeus Sphinx has reemerged with a focus on the same countries through a new coronavirus-themed campaign.

The researchers said that Zeus Sphinx is being spread through phishing campaigns loaded with malicious files named "COVID 19 relief." Emails claim that a form must be filled out to receive funds to tie the people over that are now having to stay at home rather than work during the outbreak.

The attached form, mainly either .DOC or .DOCX file formats, use a typical technique to gain a foothold into a system. If downloaded and opened, the document requests that a user enables macros, which in turn triggers the Zeus Sphinx payload by way of hijacked Windows processes and a connected command-and-control (C2) server that hosts the malware.

Once installed on a compromised machine, Zeus Sphinx maintains persistence by dynamically writing itself to numerous files and folders, as well as creating registry keys. The malware also attempts to avoid detection as malicious software by using a self-signed certificate.

Web injections are the malware's specialty, and in some cases, are still based on the Zeus v2 codebase. Zeus Sphinx will patch explorer.exe and browser processes -- including those used by Google Chrome and Mozilla Firefox -- to fetch injections when a user visits a target page, such as an online banking platform. The code then modifies these pages to trick them into handing over authentication details, which are then harvested and sent to the malware's C2.