Banking Malware Spreading via COVID-19 Relief Payment Phishing

Banking Malware Spreading via COVID-19 Relief Payment Phishing

Cybersecurity Insights | NIST

The Zeus Sphinx banking trojan recently resurfaced as part of a coronavirus-themed phishing campaign after a three-year hiatus, the most popular theme behind most attacks in the current pandemic by far.

Zeus Sphinx (also known as Zloader and Terdot) is a malware strain that was initially discovered back in August 2015 when its operators used it to attack many British financial targets and it is based almost entirely on leaked source code (just like Zeus Panda and Floki Bot) from the Zeus v2 Trojan.

This malware was later used in attacks targeting banks from all over the globe, from Australia and Brazil to North America, attempting to harvest financial data via web injections that make use of social engineering to convince infected users to hand out auth codes and credentials.

This malware was later used in attacks targeting banks from around the world, from Australia and Brazil to North America, attempting to collect financial data through web injections using social engineering to induce compromised users to share authentication codes and credentials.

It has returned back into the wild

The Zeus Sphinx campaign is using phishing emails attached with malicious documents designed to look like fake COVID-19 relief payment information.

“While some Sphinx activity we detected trickled in starting December 2019, campaigns have only increased in volume in March 2020, possibly due to a testing period by Sphinx’s operators,” as IBM X-Force researchers Amir Gandler and Limor Kessem found.

“It appears that, taking advantage of the current climate, Sphinx’s operators are setting their sights on those waiting for government relief payments.”

Phishing email sample
Phishing email sample (IBM X-Force)

Sphinx’s operators are also concentrating their efforts on targets using big US, Canadian and Australian banks, just as they did in previous campaigns.

The attackers are asking potential victims to complete a password-protected request form in the form of a document. DOC or. DOCX. It will permit them to obtain insurance payments upon request, intended to help them out when living at home.

If these malicious documents are opened on the target’s computer, they will ask for macros to be activated and infect them with the Sphinx banking trojan after downloading a malware downloader that gets the final payload from a remote command-and-control (C&C) server.

After the victims ‘systems have been compromised, Sphinx achieves persistence and saves its configuration by inserting several registry keys and writing data in folders generated under %APPDATA%

Registry entry created to gain persistence
Registry entry created to gain persistence (IBM X-Force)

“To carry out web injections, the malware patches explorer.exe and browser processes iexplorer.exe/chrome.exe/firefox.exe but doesn’t have the actual capability of repatching itself again if that patch is fixed, which makes the issue less persistent and unlikely to survive version upgrades,” the researchers also discovered.

Sphinx uses cloud-based control panels for online injections, and will import custom files configured to suit the victims ‘banks’ websites to make the injections as convincing as possible.

The malware uses web injections to change the websites of banks to trick the victims into entering their passwords and authentication codes in ways that exfiltrate the details to servers managed by the attackers.

To avoid scamming, malware infection, or stolen information, we suggest not clicking on links or opening attachments sent by people you don’t know, as well as making sure the pages you visit are legitimate by typing their address in the browser instead of clicking on hyperlinks embedded in emails. Check out out security awareness training to see how we can help!


Posted on