Zeus Sphinx Banking Trojan Arises Amid COVID-19

zeus sphinx coronavirus spam

The malware is back after three years, looking to cash in on interest in government relief efforts around coronavirus.

The Zeus Sphinx banking trojan is back after being off the scene for nearly three years.

According to researchers Amir Gandler and Limor Kessem at IBM X-Force, Sphinx (a.k.a. Zloader or Terdot) began resurfacing in December. However, the researchers observed a significant increase in volume in March, as Sphinx’s operators looked to take advantage of the interest and news around government relief payments.

First seen in August 2015, Sphinx is a modular malware based on the leaked source code of the infamous Zeus banking trojan, the researchers explained. Like other banking trojans, Sphinx’s core capability is to harvest online account credentials for online banking sites (and some other services). When infected users land on a targeted online banking portal, Sphinx dynamically fetches web injections from its command-and-control (C2) server to modify the page that the user sees, so that the information that the user enters into the log-in fields is sent to the cybercriminals.

In terms of theme, Sphinx is joining the growing fray of COVID-19-themed phishing and malspam campaigns ramping up worldwide. In the March campaigns, the emails tell targets that they need to fill out an attached form to receive coronavirus relief from the government. In the latest campaigns, Sphinx is spreading via coronavirus-themed email sent to victims in the U.S., Canada and Australia, housed in malicious attachments named “COVID 19 relief,” according to an X-Force blog posting on Monday.

“From a variety of Office programs, with the majority being .doc or .docx files, these documents at first request the end user to enable executing a macro, unknowingly triggering the first step of the infection chain,” according to the posting. “Once the end user accepts and enables these malicious macros, the script will start its deployment, often using legitimate, hijacked Windows processes that will fetch a malware downloader. Next, the downloader will communicate with a remote command-and-control (C2) server and fetch the relevant malware — in this case, the new Sphinx variant.”

Infection Routine

Once the Sphinx macros are enabled, the document creates a malicious folder under %SYSTEMDRIVE% and writes a batch file into it, the researchers explained in their analysis. The code then executes this batch file, and then writes a VBS file to the same folder.

The malware then uses a legitimate WScript.exe process to execute the VBS file, which creates a communication channel with the C2 server. After that, it downloads a malicious executable in the form of a DLL library file. This malicious DLL is the core Sphinx executable, which is also written to the folder under %SYSTEMDRIVE%.

Sphinx itself is then executed using the Regsvr32.exe process.

“At first, the malware creates a hollow process, msiexec.exe, and injects its code into it,” according to Gandler and Kessem. “This same step was used by older versions of Sphinx for deployment. It creates the first folder under %APPDATA% and creates an executable file in it. Later on, it will change the extension to .DLL for persistence purposes.”

Also, the variant communicates with its C2 server using a web-based control panel for web injects called “Tables.”

“The Tables web injects system has been operational since 2014, fitted for, and mostly used by, Zeus-type Trojans that target entities in North America and Europe,” said the researchers. “This panel provides all the necessary resources for the malware to infect and collect relevant information from infected victims’ machines. Once a connection to the Tables panel has been established, Sphinx will fetch additional JavaScript files for its web injects to fit with the targeted bank the user is browsing. Injections are all set up on the same domain with specific JS scripts for each bank/target.”

And finally, Sphinx signs the malicious code using a digital certificate that validates it, making it easier for it to stay under the radar of common antivirus (AV) tools when injected to the browser processes.

The malware variant being used is only slightly different than previous samples seen in older campaigns, according to the researchers. For instance, the malware creates a run key in the Registry, so that the DLL is triggered using the Regsrv32.exe process. The malware also creates two Registry hives under HKCU\Software\Microsoft\, each one containing one key that holds a part of its configuration.

Coronavirus-themed campaigns continue to roll out.  These include malware attacks, booby-trapped URLs and credential-stuffing scams. APT groups have been eyeing the pandemic as a lure for spreading data exfiltration malware – particularly with more businesses moving to a work from home model in response to the virus.Do you suffer from Password Fatigue? On Wednesday April 8 at 2 p.m. ET join Duo Security and Threatpost as we explore a passwordless future. This FREE webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We’ll also explore how teaming with Microsoft can reduced reliance on passwords. Please register here and dare to ask, “Are passwords overrated?” in this sponsored webinar.

Suggested articles