Special Feature
Part of a ZDNet Special Feature: Coronavirus: Business and technology in a pandemic

Zeus Sphinx revamped as coronavirus relief payment attack wave continues

The financial malware has been upgraded with new C2 setups and encryption keys.

Banking trojan returns rearmed by lockdown thieves

The Zeus Sphinx banking Trojan is now receiving frequent updates and upgrades to its malicious arsenal while being deployed in active coronavirus scams. 

On Monday, IBM Security researcher Nir Shwarts said the company has been tracking the evolution of the malware which is based on the leaked codebase of the well-known Zeus v.2 Trojan.

Zeus Sphinx -- also referred to as Zloader or Terdot -- first emerged in 2015 and was used in attacks launched against US banks. However, the malware vanished from the criminal scene and, with the exception of a handful of campaigns over the years, lay dormant until now, when it has once again been spotted in attacks against banks -- as well as a new campaign related to COVID-19.

In March, IBM documented a wave of attacks in which the Trojan has been hidden in phishing documents, spread via email and masked as information relating to COVID-19 relief payments. 

See also: Zeus Sphinx malware resurrects to abuse COVID-19 fears

These attacks remain active and attempt to capitalize on fears surrounding the financial ramifications of the virus, at a time where many have lost their means of support and are relying on assistance. 

According to IBM, the malware is now becoming more firmly entrenched by way of constant upgrades to improve its potency. 

Zeus Sphinx first lands on machines through a malicious attachment in which victims are asked to enable macros. Once deployed, the malware adds a Run key to the Windows Registry -- a very common method to maintain persistence that has also been used by Zeus Sphinx since it first appeared -- and will either deploy as an executable or as a malicious dynamic link library (DLL). 

The malware has been designed to grab credentials, such as banking details or account usernames and passwords for online services. Zeus Sphinx uses browser injection techniques to achieve this goal, inserting malicious code into explorer.exe and browser processes to redirect victims to fraudulent domains when they attempt to visit financial websites. 

Zeus Sphinx will also create a standalone process, named msiexec.exe to mimic a legitimate program, in an attempt to remain stealthy.  

CNET: Zoom security issues: Zoom buys security company, aims for end-to-end encryption

In January 2020, malware samples -- including a variant ID in Russian named "2020 Upgrade," used a varied command-and-control (C2) server domain list and an RC4 key for botnet communication encryption purposes. 

New variants of the malware, however, have expanded to include a different set of RC4 keys, a smaller and different set of C2s, and a new variant ID.

Sphinx also uses a pseudo-random number generator (PRNG) named MT19937 to create a variance in file names and resources for each infected device to try and avoid detection by static scanning tools. 

TechRepublic: 5 things developers should know about data privacy and security

"While less common in the wild than Trojans like TrickBot, for example, Sphinx's underlying Zeus DNA has been an undying enabler of online banking fraud," IBM says. "Financial institutions must reckon with its return and spread to new victims amid the current pandemic."

Trickbot, too, is being used in coronavirus-themed lures. Microsoft's Security Intelligence team said in April that phishing campaigns spreading the malware are using themes including COVID-19 testing and medical advice. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0