The Zeus Sphinx banking trojan has seen a recent resurgence in the United States, sporting some modifications and using COVID-19 spam as a lure.
Sphinx re-emerged in December but saw a big spike in March via the use of coronavirus themes. Since April, it has been seen attacking U.S. targets with a few changed processes. The main upgrades in the latest version, which harvests user credentials and other personal information from online banking sessions, can be found in the process-injection and bot-configuration aspects if the malware’s operations, according to researchers.
“While Sphinx has been an on-and-off type of operation over the years, it appears it is now on-again, with version updates and new infection campaigns that are back to targeting North American banks,” Nir Shwarts and Limor Kessem at IBM X-Force Security wrote in a Monday posting.
Persistence Mechanism and Process Injection
In order to survive system reboots, Sphinx establishes persistence by adding a Run key to the Windows Registry. In its latest iteration, Sphinx establishes the Run key depending on its payload format, which can come in either executable or dynamic link library (DLL) versions.
Also, Sphinx is designed with the ability to hook browser functions.
“Before gaining the ability to hook these types of functions, Sphinx has to ensure its stealthy ongoing operations on the OS,” the researchers explained. “It does this by injecting malicious code into other processes first.”
Specifically, Sphinx calls on the CreateProcessA function, which creates a new process and its primary thread. Then, it calls the WriteProcessMemory function to inject a payload into the msiexec.exe process.
“The function’s parameters are msiexec.exe for the new process name and the suspend flag applied as the process state,” according to the analysis. “This is another part of the malware’s stealth mechanism, as msiexec.exe usually stands for the name of a legitimate Windows Installer process that is responsible for installation and storage.”
Next, Sphinx changes the execution point of the targeted process to start from the injected payload, using GetThreadContext and SetThreadContext functions.
“GetThreadContext is used to get the current extended instruction pointer of the remote process,” according to Shwarts and Kessem. “SetThreadContext is used to set the current extended instruction pointer of the remote process.” That instruction pointer then dictates the next process.
The injected executable in msiexec.exe harbors the bot’s encrypted configuration, which contains malware’s variant ID: “obnovlenie2020,” which in Russian translates to “2020 Upgrade.”
The configuration file also contains a hardcoded command-and-control (C2) server domain list, along with an RC4 key that Sphinx uses to encrypt and decrypt most of its data.
“These elements can help defenders better protect networks against Sphinx infections by monitoring or blocking any communications to the listed C2 servers,” the researchers wrote. “The RC4 key itself is an important element to those looking to analyze the malware…Please note that the key inside the configuration is different from the key used to decrypt the configuration itself.”
Also, the analysts observed Sphinx configurations being modified as campaigns progress, changing the C2 addresses and the RC4 keys. The malware fingerprints infected devices in order to push updates to them over time.
“Once infected by Sphinx, every device sends information home and is defined in the botnet by a bot ID to ensure control and updates through the attacker’s server,” the researchers said. “To do that, Sphinx uses an algorithm that includes the following elements from the infected device: Volume C GUID; computer name; Windows version; Windows install date; [and] digital product ID…After creating the bot ID, it’s encrypted with an RC4 stream cipher using the key derived from the bot’s configuration and then stored in the Registry with other binary data.”
Back Under Cover of COVID-19
First seen in August 2015, Sphinx is a modular malware based on the leaked source code of the infamous Zeus banking trojan, the researchers explained. Like other banking trojans, Sphinx’s core capability is to harvest online account credentials for online banking sites (and some other services). When infected users land on a targeted online banking portal, Sphinx dynamically fetches web injections from its command-and-control (C2) server to modify the page that the user sees, so that the information that the user enters into the log-in fields is sent to the cybercriminals.
“Over the years, Sphinx has been in different hands, initially offered as a commodity in underground forums and then suspected to be operated by various closed gangs,” Shwarts and Kessem explained. “After a lengthy hiatus, this malware began stepping up attack campaigns.”
While Sphinx (a.k.a. Zloader or Terdot) started out attacking targets in North America, different operators have launched it into campaigns in other parts of the world over the years, such as the U.K., then Brazil, then Canada and Australia. Most recently, Sphinx was implemented in infection campaigns targeting users in Japan, the researchers noted. Now, it has been re-focused on North America as Sphinx’s operators looked to take advantage of the interest and news around government relief payments.
“While less common in the wild than trojans like TrickBot, for example, Sphinx’s underlying Zeus DNA has been an undying enabler of online banking fraud,” according to Shwarts and Kessem. “Financial institutions must reckon with its return and spread to new victims amid the current pandemic.”
Inbox security is your best defense against today’s fastest growing security threat – phishing and Business Email Compromise attacks. On May 13 at 2 p.m. ET, join Valimail security experts and Threatpost for a FREE webinar, 5 Proven Strategies to Prevent Email Compromise. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please register here for this sponsored webinar.
Also, don’t miss our latest on-demand webinar from DivvyCloud and Threatpost, A Practical Guide to Securing the Cloud in the Face of Crisis, with critical, advanced takeaways on how to avoid cloud disruption and chaos.