Zeus Sphinx Banking Trojan Makes A Comeback Amid COVID-19 Pandemic
After a three year hiatus, we see the Zeus Sphinx banking Trojan making a return, exploiting the most common theme that we see behind most attacks during the current pandemic – COVID-19 related malspam.
The Zeus Sphinx banking Trojan (a/k/a Terdot and Zloader) was first detected in August 2015. As security experts explained at the time, it's a modular malware that was based on the leaked source code of the notorious Zeus banking Trojan, similarly to Floki Bot and Zeus Panda.
This Week In Malware Ep 11: Hackers Thrive on Covid-19 Themed Ransomware & Malware Attacks
Back when it was first detected, the Zeus Sphinx banking Trojan targeted a number of British financial targets, while in 2016, it switched its focus on the Rio Olympics. The core capability of Zeus Sphinx is harvesting online account credentials via web injections, which alter a bank's website and trick the victim into entering their credentials in a form that is sent directly to the attackers.
Before it can do that, however, the Zeus Sphinx banking Trojan needs first to infiltrate the system. To do that, the attackers rely on social engineering tactics. The cybercriminals behind the current malspam and phishing campaigns that distribute Zeus Sphinx are using a Coronavirus-related theme, sending out emails that allegedly contain a coronavirus relief form that the victim has to fill out in order to receive funds from the government.
According to Amir Gandler and Limor Kessem, security researchers from IBM's X-Force, the Zeus Sphinx operators continue to focus on banks located in the US, Australia, and Canada, sending out malware-laced documents named ''COVID 19 relief'' to their victims. The majority of the documents are .docx or .doc files, which, once opened, would prompt the user to enable macros, ''unknowingly triggering the first step of the infection chain.'' Once the malicious macro is executed, it will install a malware downloader that will fetch the final payload from a remote command-and-control (C2) server.
The current infection routine is similar to the previous times that we have seen Zeus Sphinx in action, with researchers noting that: ''At first, the malware creates a hollow process, msiexec.exe, and injects its code into it. This same step was used for deployment by older versions of Sphinx. It creates the first folder under %APPDATA% and creates an executable file in it. Later on, it will change the extension to .DLL for persistence purposes.''
Once it has established a foothold on the system, the Zeus Sphinx banking Trojan will begin communication with its C2 server using a platform called ''Tables''. The ''Tables'' platform is a web-based control panel for web injects that ''provides all the necessary resources for the malware to infect and collect relevant information from infected victims' machines,'' according to Gandler and Kessem.
They elaborate: ''Once a connection to the Tables panel has been established, Sphinx will fetch additional JavaScript files for its web injects to fit with the targeted bank the user is browsing. Injections are all set up on the same domain with specific JS scripts for each bank/target.''
The Zeus Sphinx banking Trojan does, however, have one inherent flaw, according to security researchers: ''To carry out web injections, the malware patches explorer.exe and browser processes iexplorer.exe/chrome.exe/firefox.exe but doesn't have the actual capability of repatching itself again if that patch is fixed, which makes the issue less persistent and unlikely to survive version upgrades.''
Unfortunately, as the COVID-19 pandemic continues to unfold, more and more threat actors are exploiting people's fears to push all sorts of computer viruses as well. Government agencies around the globe have already started to warn people against opening any links or attachments that were sent by people they don't know, especially with the increased reliance on online communications that is due to the quarantine measures taken in many countries.