Zeus Sphinx banker is active again and uses coronavirus as bait

Researchers at IBM X-Force report that the Zeus Sphinx banking Trojan (aka Zloader and Terdot) is active again after several years of inactivity and is now exploiting the coronavirus pandemic to its advantage.

Experts recall that Zeus Sphinx was first discovered in August 2015. Then the Malware went on sale in the form of a commercial modular banker, based on Zeus source code. Then the malware was targeted at attacks on financial institutions in the UK, Australia, Brazil and the USA. Now that Zeus Sphinx has reappeared, it targets the same countries.

Zeus Sphinx spreads through phishing campaigns, in malicious files called “COVID 19 relief”. In their spam emails, cybercriminals claim that users are eligible for government assistance. To receive funds, it is allegedly necessary to fill out a special form, which is attached to the message in the .DOC or .DOCX format. When downloading and opening such a document informs the victim about the need to enable macros, which, in turn, connect to the management server and launch the Zeus Sphinx payload.

Zeus Sphinx fixes itself in the infected system, dynamically writing itself to numerous files and folders, as well as creating registry keys. The malware also tries to avoid detection using a self-signed certificate.

Since the main “profile” of Zeus Sphinx is web injects, the malware will interfere with the work of explorer.exe and the browser, and will monitor when the user visits the landing page (for example, the online banking platform). Then the malware modifies these pages, and as a result, the user credentials are sent to the remote attackers server.

I must say that Zeus Sphinx is just one of many malware that is currently exploiting the COVID-19 theme. Thus, malicious domains dedicated to the coronavirus already number in the tens of thousands, and even hacked routers scare their owners with urgent information about the pandemic.