Zeus Sphinx Banking Trojan Returns From the Dead in New COVID-19 Baiting Phishing Scam
- The phishing emails ask recipients to fill a form to receive relief funds as they are now compelled to stay at home and cannot work during the quarantine.
- Zeus Sphinx can maintain persistence by writing itself to numerous files and folders, as well as creating registry keys.
The COVID-19 theme is being exploited thoroughly by hackers in a large variety of spam and malspam campaigns. Waking up from its hibernation after a long period, the Zeus Sphinx malware strain was found joining this new wave of scams.
What happened?
Recently, a group of researchers claimed that Zeus Sphinx, also known as Zloader or Terdot, was used to launch attack campaigns focusing on COVID-19 related government relief payments.
- First detected in August 2015, the malware became populare as a commercial modular banking Trojan with core code elements based on Zeus v2.
- Earlier, it was notorious for targeting financial institutions across the UK, Australia, Brazil, and the US.
- Now, the Zeus Sphinx trojan has emerged through a new coronavirus-themed campaign while targeting users in the same countries.
How does it work?
Zeus Sphinx is being spread through malicious files with names like "COVID 19 relief."
- The phishing emails ask recipients to fill a form to receive relief funds as they are now compelled to stay at home and cannot work during the quarantine.
- The attached forms, either in .DOC or .DOCX file formats, are being used to gain a foothold into a system.
- Downloading and opening the document asks a user to enable content (essentially macros).
- That triggers the Zeus Sphinx payload, hijacking Windows processes and establishing a connected command-and-control (C2) server for the malware.
Infection capabilities of the malware
The researchers noted that web injections are a specialty of this malware. While in other cases, the core elements are still based on the Zeus v2 codebase.
- Zeus Sphinx can maintain persistence by writing itself to numerous files and folders, as well as creating registry keys.
- It can patch explorer.exe and browser processes to fetch web injection codes.
- It can avoid detection using a self-signed certificate.
However, there’s a catch
Zeus Sphinx payload contains an inherent flaw. There is no process for repatching web browsers after the exploit. Hence, an update pushed to a browser would nullify the effect of the malware's web injection function.