Zeus Sphinx revamped as coronavirus relief payment attack wave continues

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
The Zeus Sphinx banking Trojan is now receiving frequent updates and upgrades to its malicious arsenal while being deployed in active coronavirus scams.

On Monday, IBM Security researcher Nir Shwarts said the company has been tracking the evolution of the malware which is based on the leaked codebase of the well-known Zeus v.2 Trojan. According to IBM, the malware is now becoming more firmly entrenched by way of constant upgrades to improve its potency.

Zeus Sphinx first lands on machines through a malicious attachment in which victims are asked to enable macros. Once deployed, the malware adds a Run key to the Windows Registry -- a very common method to maintain persistence that has also been used by Zeus Sphinx since it first appeared -- and will either deploy as an executable or as a malicious dynamic link library (DLL).

The malware has been designed to grab credentials, such as banking details or account usernames and passwords for online services. Zeus Sphinx uses browser injection techniques to achieve this goal, inserting malicious code into explorer.exe and browser processes to redirect victims to fraudulent domains when they attempt to visit financial websites. Zeus Sphinx will also create a standalone process, named msiexec.exe to mimic a legitimate program, in an attempt to remain stealthy.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top