Zeus Sphinx Banking Trojan Returns From the Dead in New COVID-19 Baiting Phishing Scam

  • The phishing emails ask recipients to fill a form to receive relief funds as they are now compelled to stay at home and cannot work during the quarantine.
  • Zeus Sphinx can maintain persistence by writing itself to numerous files and folders, as well as creating registry keys. 

The COVID-19 theme is being exploited thoroughly by hackers in a large variety of spam and malspam campaigns. Waking up from its hibernation after a long period, the Zeus Sphinx malware strain was found joining this new wave of scams.

What happened?
Recently, a group of researchers claimed that Zeus Sphinx, also known as Zloader or Terdot, was used to launch attack campaigns focusing on COVID-19 related government relief payments. 

  • First detected in August 2015, the malware became populare as a commercial modular banking Trojan with core code elements based on Zeus v2.
  • Earlier, it was notorious for targeting financial institutions across the UK, Australia, Brazil, and the US.
  • Now, the Zeus Sphinx trojan has emerged through a new coronavirus-themed campaign while targeting users in the same countries.

How does it work?
Zeus Sphinx is being spread through malicious files with names like "COVID 19 relief." 

  • The phishing emails ask recipients to fill a form to receive relief funds as they are now compelled to stay at home and cannot work during the quarantine.
  • The attached forms, either in .DOC or .DOCX file formats, are being used to gain a foothold into a system.
  • Downloading and opening the document asks a user to enable content (essentially macros).
  • That triggers the Zeus Sphinx payload, hijacking Windows processes and establishing a connected command-and-control (C2) server for the malware.

Infection capabilities of the malware
The researchers noted that web injections are a specialty of this malware. While in other cases, the core elements are still based on the Zeus v2 codebase.

  • Zeus Sphinx can maintain persistence by writing itself to numerous files and folders, as well as creating registry keys. 
  • It can patch explorer.exe and browser processes to fetch web injection codes.
  • It can avoid detection using a self-signed certificate.

However, there’s a catch
Zeus Sphinx payload contains an inherent flaw. There is no process for repatching web browsers after the exploit. Hence, an update pushed to a browser would nullify the effect of the malware's web injection function.