The Zeus Sphinx malware is back, it was observed in a new wave of attacks attempting to exploit the interest in the Coronavirus outbreak.
Now the Zeus Sphinx malware is back, operators are spreading it in a spam campaign aimed at stealing victims’ financial information.
Spam messages sent to the victims claim to provide information related to the
The Zeus Sphinx variant used in the recent Coronavirus-themed campaign is only slightly different than the original.
Spam emails include a form, in an MS Word format, that must be filled out to receive funds to help people that now are at home due to the COVID 19 pandemic. The document is password-protected, likely to prevent analysis before it is received by the potential victim, the password is included in the content of the email.
Once opened, the document displays a message to instruct victims in enabling macros to view the content, unfortunately this action start the infection process.
“Once the end user accepts and enables these malicious macros, the script will start its deployment, often using legitimate, hijacked Windows processes that will fetch a malware downloader.” continues the post.”Next, the downloader will communicate with a remote command-and-control (C&C) server and fetch the relevant malware — in this case, the new Sphinx variant.”
Zeus Sphinx gains
Sphinx signs the malicious code using a digital certificate, a common evasion technique, when injected into
Experts observed that web injections are in some cases still based on the Zeus v2
“As a modular banking Trojan that’s based on the dated Zeus v2 code, Sphinx’s core capability is to collect online account credentials from banks and a wide range of other websites.” continues the post. “It calls on its C&C server to fetch relevant web injections when infected users land on a targeted page and uses them to modify the pages users are browsing to include social engineering content and trick them into divulging personal information and authentication codes.”
Experts pointed out that if a browser pushes an update, the web injection function will likely not “survive.”
The report published by IBM X-Force also provided technical details about the threat, including IoCs.
Unfortunately, the number of COVID19-themed attacks continue to increase, if you are interested to receive info about the attacks observed in the last week give a look at: