Zeus Sphinx malware resurrects to abuse COVID-19 fears

Operators are exploiting the pandemic in the quest to steal your financial information.
Written by Charlie Osborne, Contributing Writer

After years of lying dormant, the Zeus Sphinx malware strain has been resurrected to capitalize on the coronavirus pandemic in a new wave of scams.

Spam emails claiming to hold the secret to novel coronavirus cures, texts and phone calls from operators pretending to be utilities and banks impacted by the respiratory illness, and fake coronavirus-preventing products are being listed through online marketplaces in response to the outbreak, of which case numbers have reached 723,000 at the time of writing

Any crisis that can be profited from raises the interest of cyberattackers and fraudsters, and now, malware that has been absent from the threat landscape for close to three years has, once again, started making the rounds. 

On Monday, IBM X-Force said that Zeus Sphinx -- also known as Zloader or Terdot -- has been spotted in campaigns launched in March that focus on government relief payments. 

See also: UK police criticized for using drones to publicly shame walkers in coronavirus lockdown

Zeus Sphinx was first detected in the wild in August 2015. The malware emerged as a commercial modular banking Trojan with core code elements based on Zeus v2. The malware targeted financial institutions across the UK, Australia, Brazil, and the US; and now, Zeus Sphinx has reemerged with a focus on the same countries through a new coronavirus-themed campaign. 

The researchers said that Zeus Sphinx is being spread through phishing campaigns loaded with malicious files named "COVID 19 relief." Emails claim that a form must be filled out to receive funds to tie the people over that are now having to stay at home rather than work during the outbreak.

The attached form, mainly either .DOC or .DOCX file formats, use a typical technique to gain a foothold into a system. If downloaded and opened, the document requests that a user enables macros, which in turn triggers the Zeus Sphinx payload by way of hijacked Windows processes and a connected command-and-control (C2) server that hosts the malware.

CNET: Now that everyone's using Zoom, here are some privacy risks you need to watch out for

Once installed on a compromised machine, Zeus Sphinx maintains persistence by dynamically writing itself to numerous files and folders, as well as creating registry keys. The malware also attempts to avoid detection as malicious software by using a self-signed certificate.

Web injections are the malware's specialty, and in some cases, are still based on the Zeus v2 codebase. Zeus Sphinx will patch explorer.exe and browser processes -- including those used by Google Chrome and Mozilla Firefox -- to fetch injections when a user visits a target page, such as an online banking platform. The code then modifies these pages to trick them into handing over authentication details, which are then harvested and sent to the malware's C2. 

TechRepublic: Cybercriminals attack KEEN shoe drive for people affected by coronavirus pandemic

However, Zeus Sphinx does contain an inherent flaw, in which there is no process for repatching browsers. Therefore, if a browser pushes an update, IBM says the web injection function is "unlikely to survive."

The campaign is ongoing, and only one of many.

Thousands of COVID-19-themed malicious domains have appeared in recent weeks, and in some cases, cyberattackers are using interesting methods to dupe victims into visiting these websites. Bitdefender researchers recently discovered D-Link and Linksys routers are being compromised and their DNS settings are being changed to point victims towards coronavirus-based websites serving malware. 

Coronavirus: How to clean and disinfect your tech gadgets

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards