Zeus Sphinx Banking Trojan Has Come Back From the Dead Just in Time for the Pandemic

Zeus Sphinx Comes Back in the middle of the COVID-19 Pandemic

Zeus Sphinx is officially back. Also known as Terdot, the banking trojan gained infamy a few years ago when its operators used clever distribution methods to spread the malware around and steal people's passwords. Back then, security researchers explained how, in addition to exfiltrating login data for financial institutions, the malware operators were trying to hijack victims' social media accounts and use them as a propagation vehicle. At one point, however, they suddenly stopped distributing it. Now, they've turned back to it, and when you see how it works, you might be left wondering why they abandoned it in the first place.

Zeus Sphinx didn't need a major update

The new wave of Zeus Sphinx infections was spotted by researchers from IBM. The first signs of a comeback were shown way back in December, but in March, the number of victims spiked significantly. IBM's experts dissected one of the intercepted samples and noticed that there weren't any truly major updates to the way the malware functions.

The current campaign relies on malicious Microsoft Office documents that serve as downloaders for the payload. The file is laced with macro instructions, which create a new folder on the PC's system drive and drop a batch file in it. A new VBS file is created which uses the WScript.exe process to establish a connection to the Command & Control (C&C) server and download the payload in the form of a DLL. Once deployed, Zeus Sphinx adds a new registry key to establish persistence and sets about stealing people's financial data.

As the name suggests, Zeus Sphinx is based on Zeus – one of the most infamous malware families of this type. The trojan steals usernames and passwords with the help of web injections. Whenever it detects that the user is visiting their bank's website, Zeus Sphinx injects code and sends any login credentials and two-factor authentication codes to the crooks. The worst thing about this technique is that the user has no way of knowing that something's wrong. But how likely are they to infect their systems with Zeus Sphinx in the first place?

Zeus Sphinx uses the COVID-19 pandemic to get to more people

As you probably know already, over the last few months, cybercriminals have been using various social engineering techniques to exploit the fear surrounding the current coronavirus pandemic, and the people distributing Zeus Sphinx have decided to take a similar approach.

The malicious Office documents arrive on the back of emails with subjects that read "COVID-19 Payment," and in the example IBM showed us, the message says that Justin Trudeau, Canada's Prime Minister, has approved a $2,500 award to each and every one of his fellow Canadians who have decided to stay at home during the coronavirus pandemic. To claim it, the user needs to open the attached document and fill it in.

It shouldn't really be a surprise that, like so many other cybercriminal gangs, the operators of Zeus Sphinx are trying to bank on the panic surrounding COVID-19. What is a bit shocking, however, is that there are still people who might fall for this particular scam.

Even if you are convinced that you can avoid this scheme, there are plenty of others that are much more believable. Make sure you take everything you find in your inbox with a pinch of salt, especially if it was sent by someone you don't know.

March 31, 2020