Resurface of Zeus Sphinx trojan: threat actors abusing COVID-19 crisis

Phishing surrounding coronavirus outbreak continues – scam emails deliver a new version of Zeus Sphinx banking trojan

Zeus Sphynx emerges in a new COVID-19 spam phishing campaign

While some cybercriminals promise to spare infecting healthcare providers with malware during a difficult time of coronavirus outbreak,^[1] others are keen to use it for personal gain. Security researchers at IBM X-Force uncovered a new phishing campaign that tries to abuse COVID-19 situation worldwide by infecting computers with a banker trojan Zeus Sphinx, which first emerged in August 2015.^[2]

Now, after three years of being under the radar, it surfaced once again. Malware stems from the notorious Zeus trojan^[3] that infected hundreds of thousand machines back in the late 2000s – it is based on Zeus' source-code that was leaked in 2011.^[4] Security researchers claim that this variant of malware does not differ much from its original release and that its main goal is to capture victims' credentials and steal banking information.

Zeus Sphinx was first observed attacking users in December last year, and now is actively being distributed with the help of phishing emails that surround the government COVID-19 relief payments. This is not the first time the pandemic was abused by cybercriminals, however, as we saw several phishing campaigns that infected victims with Ryuk,^[5] BlackNET, Netwalker, AZORult, and much more.

Social engineering fuels COVID-19 phishing attacks

Due to a health crisis, many governments are trying to send people relief payments and help them to cope with the current situation – this help is exceptionally needed for those who lost their jobs. Threat actors saw this situation as an opportunity to deliver Zeus Sphinx malware, shamelessly stealing peoples' money. The malware seems to be targeting user accounts in banks located in the US, Canada, as well as Australia.

Just like most of the other malware campaigns, Zeus Sphinx authors utilize email attachments to begin the infection routine. Researchers found that the clipped attachment was a Microsoft Word document titled “COVID 19 Relief.doc.” Inside, there was information about the alleged check that users are eligible to claim until a specified date:

Canadian Prime Minister Justin Trudeau approved an immediate check of $2,500.00 =/CAD for those who choose to stay at home during Coronavirus crisis. Here is the form for the request. Please fill it out and submit it no later than 25/03/2020.

Password is 1234

Claiming that the relief is only available till a particular date is a typical tactic to make users perform actions provided inside the email – which is, opening the attachment.

The malicious document is password-protected to prevent email scanners from detecting it as malicious, researchers explain. Once the .doc file is opened and password is entered, “Allow content” prompt pops up, ultimately begging the first phase of the infection routine.

A signed certificate

As soon as the macro feature is enabled, one of the legitimate Windows processes (WScript.exe) is hijacked, ultimately retrieving the main downloader, which will then contact a Command & Control server and execute malicious DLL file – it is placed into %SYSTEMDRIVE% folder.

From there, the file is launched with the help of another well-known Windows process – Regsvr32.exe, which begins the system modifications, injecting thousands of malicious files into %APPDATA% and other folders, as well as modifying Windows registry HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ for persistence purposes.

For antivirus evasion, Zeus Sphinx uses a self-signed certificate:

Sphinx signs the malicious code using a digital certificate that validates it, making it easier for it to stay under the radar of common antivirus (AV) tools when injected to the browser processes. In the following example, that file is named “Byfehi.”

Zeus Sphinx steals sensitive data with the help of web injects

Upon infection, Zeus Sphinx patches Windows Explorer process (explorer.exe) as well as those associated with web browsers – Internet Explorer (iexplorer.exe) Google Chrome, (chrome.exe) and Mozilla Firefox (firefox.exe). These patches are needed for malware to perform web injections without interruptions. Nevertheless, it turns out that the re-patching functionality is not enabled, so the function can be disabled with a software update.

The malware uses web-based panel called “Tables” for web infection process, which gathers all the relevant information from victims and sends it out to Command & Control servers, also fetching JS files:

Once a connection to the Tables panel has been established, Sphinx will fetch additional JavaScript files for its web injects to fit with the targeted bank the user is browsing. Injections are all set up on the same domain with specific JS scripts for each bank/target

Once victims land on the targeted pages, Zeus Sphinx contacts the C&C server in order to fetch relevant banking content, making users disclose their logins, secret codes, and other personal information.

To avoid being infected with malware that is being spread with the help of malicious COVID-19 phishing emails, users should never enable macros to be run on the infected document and employ a comprehensive anti-malware to prevent intrusion of malware like Zeus Sphinx.