The Zeus Sphinx banking trojan has recently seen a revival in the US. It has been upgraded and one of its new lures includes COVID-19 spam. This financial malware was built upon the codebase of other trojans in the same class: Zeus v188.8.131.52.
What is happening
Zeus Sphinx used to be initially offered as a commodity malware in underground forums. However, it is suspected to be operated by various closed groups. Although the re-emergence was in December last year, the trojan spiked in March via coronavirus themed malspam. Since April, the malware has been attacking US targets.
- Zeus Sphinx establishes persistence by adding a Run key to the Windows Registry. This ensures that the malware survives system reboot.
- The trojan’s core capability is to gain online account credentials for online banking websites, along with some other services.
- After victims land on a targeted bank portal, web injections are fetched from the C2 server to modify the page.
- The information entered by the victim is then harvested by the attackers.
What the experts are saying
- As per researchers, “Once infected by Sphinx, every device sends information home and is defined in the botnet by a bot ID to ensure control and updates through the attacker’s server.”
- It has been explained by experts that while Zeus Sphinx is not as ubiquitous as other trojans such as TrickBot, its codebase has always been a constant enabler of banking frauds.
What you can do
- Use caution while clicking on links to unknown websites.
- Use comprehensive security to safeguard your credentials.
- Update your systems and software.
- Deploy a vulnerability scan to detect existing security gaps.
- Use traffic filters.
- The trojan has been designed to hook into browser functions.
- Zeus Sphinx signs the malicious code using a digital certificate that validates it.
- The attackers have taken advantage of the current pandemic and set their sights on government relief payments.
Although Zeus Sphinx started out by attacking North American targets, it has spread to other parts of the world, including the UK, Brazil, and Australia. The most recent attacks were conducted on users in Japan. However, the operators have refocused on the US to target government relief payments.