Zeus Sphinx revamped as coronavirus relief payment attack wave continues


Level 84
Thread author
Top poster
Content Creator
Malware Hunter
Aug 17, 2014
The Zeus Sphinx banking Trojan is now receiving frequent updates and upgrades to its malicious arsenal while being deployed in active coronavirus scams.

On Monday, IBM Security researcher Nir Shwarts said the company has been tracking the evolution of the malware which is based on the leaked codebase of the well-known Zeus v.2 Trojan. According to IBM, the malware is now becoming more firmly entrenched by way of constant upgrades to improve its potency.

Zeus Sphinx first lands on machines through a malicious attachment in which victims are asked to enable macros. Once deployed, the malware adds a Run key to the Windows Registry -- a very common method to maintain persistence that has also been used by Zeus Sphinx since it first appeared -- and will either deploy as an executable or as a malicious dynamic link library (DLL).

The malware has been designed to grab credentials, such as banking details or account usernames and passwords for online services. Zeus Sphinx uses browser injection techniques to achieve this goal, inserting malicious code into explorer.exe and browser processes to redirect victims to fraudulent domains when they attempt to visit financial websites. Zeus Sphinx will also create a standalone process, named msiexec.exe to mimic a legitimate program, in an attempt to remain stealthy.