Zeus Sphinx Rises Back From the Ashes

What is happening

The situation

• Zeus Sphinx establishes persistence by adding a Run key to the Windows Registry. This ensures that the malware survives system reboot.
• The trojan’s core capability is to gain online account credentials for online banking websites, along with some other services. 
• After victims land on a targeted bank portal, web injections are fetched from the C2 server to modify the page.
• The information entered by the victim is then harvested by the attackers.

What the experts are saying

• As per researchers, “Once infected by Sphinx, every device sends information home and is defined in the botnet by a bot ID to ensure control and updates through the attacker’s server.”
• It has been explained by experts that while Zeus Sphinx is not as ubiquitous as other trojans such as TrickBot, its codebase has always been a constant enabler of banking frauds.

What you can do

• Use caution while clicking on links to unknown websites.
• Use comprehensive security to safeguard your credentials. 
• Update your systems and software.
• Deploy a vulnerability scan to detect existing security gaps. 
• Use traffic filters.

Worth noting

• The trojan has been designed to hook into browser functions.
• Zeus Sphinx signs the malicious code using a digital certificate that validates it.
• The attackers have taken advantage of the current pandemic and set their sights on government relief payments.

In essence