After years of lying dormant, the Zeus Sphinx malware strain has been resurrected to capitalize on thein a new wave of scams.
Spam emails claiming to hold the secret to novel coronavirus cures, texts and phone calls from operators pretending to be utilities and banks impacted by the respiratory illness, and fake coronavirus-preventing products are being listed through online marketplaces in response to the outbreak, of which case numbers have reached 723,000 at the time of writing.
Any crisis that can be profited from raises the interest of cyberattackers and fraudsters, and now, malware that has been absent from the threat landscape for close to three years has, once again, started making the rounds.
On Monday, IBM X-Force said that Zeus Sphinx -- also known as Zloader or Terdot -- has been spotted in campaigns launched in March that focus on government relief payments.
Zeus Sphinx was first detected in the wild in August 2015. The malware emerged as a commercial modular banking Trojan with core code elements based on Zeus v2. The malware targeted financial institutions across the UK, Australia, Brazil, and the US; and now, Zeus Sphinx has reemerged with a focus on the same countries through a new coronavirus-themed campaign.
The researchers said that Zeus Sphinx is being spread through phishing campaigns loaded with malicious files named "COVID 19 relief." Emails claim that a form must be filled out to receive funds to tie the people over that are now having to stay at home rather than work during the outbreak.
The attached form, mainly either .DOC or .DOCX file formats, use a typical technique to gain a foothold into a system. If downloaded and opened, the document requests that a user enables macros, which in turn triggers the Zeus Sphinx payload by way of hijacked Windows processes and a connected command-and-control (C2) server that hosts the malware.
Once installed on a compromised machine, Zeus Sphinx maintains persistence by dynamically writing itself to numerous files and folders, as well as creating registry keys. The malware also attempts to avoid detection as malicious software by using a self-signed certificate.
Web injections are the malware's specialty, and in some cases, are still based on the Zeus v2 codebase. Zeus Sphinx will patch explorer.exe and browser processes -- including those used by Google Chrome and Mozilla Firefox -- to fetch injections when a user visits a target page, such as an online banking platform. The code then modifies these pages to trick them into handing over authentication details, which are then harvested and sent to the malware's C2.
However, Zeus Sphinx does contain an inherent flaw, in which there is no process for repatching browsers. Therefore, if a browser pushes an update, IBM says the web injection function is "unlikely to survive."
The campaign is ongoing, and only one of many.
Thousands of COVID-19-themed malicious domains have appeared in recent weeks, and in some cases, cyberattackers are using interesting methods to dupe victims into visiting these websites. Bitdefender researchers recently discovered D-Link and Linksys routers are being compromised and their DNS settings are being changed to point victims towards coronavirus-based websites serving malware.
Previous and related coverage
- eBay and Amazon are losing the battle against coronavirus profiteering
- Europol eradicates criminal gangs flogging fake coronavirus medicine, surgical masks
- As coronavirus challenges mount, WHO's reputation is being hijacked for data theft scams
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0