After being discovered in 2015 targeting US banks, the Zeus Sphinx banking malware (also known as Zloader or Terdot) was only observed in a few campaigns over the last five years. The malware is back now, again targeting US banks and more recently being used in ongoing COVID-19 scams. IBM discovered some of the campaigns in March that used Zeus Sphinx in phishing documents that were spread through email and made to look like information regarding coronavirus relief funds. The malware makes its way onto a machine through an attachment that will ask the victim to enable macros. A Run key is added to the Windows registry (under SoftwareMicrosoftWindowsCurrentVersionRun) after the malware is deployed to automatically run the malware’s executable or malicious Dynamic Link Library (DLL) whenever the victim computer restarts. Zeus Sphinx has been created to steal credentials including banking details or account usernames and passwords for online banking services. Browser injection techniques are used to make this happen. Inserting malicious code into explorer.exe and browser processes allows for victims to be redirected to fraudulent domains when they attempt to visit financial websites. New RC4 encryption keys, a smaller set of Command and Control (C2) servers and a new variant ID have all been adopted by the malware as well. It will also attempt to avoid detection by static scanning tools by using a pseudo-random number generator to change file names and resources for each infection.
Binary Defense has also observed Zeus Sphinx malware campaigns using zip files with malicious Visual Basic Script (VBS) files contained inside, which will install the malware if the targeted employee double-clicks the VBS file. Companies should consider a trusted and proven anti-virus solution that will detect known malware threats on their endpoints as well as monitored Endpoint Detection and Response (EDR) to find and stop targeted attacks that anti-virus can’t detect. This will give the company the best chance to defend against malicious programs, even when threat actors alter their software to evade static detections. While many companies still have their employees working from home, it may be a good time to allow them to attend a virtual security awareness training. Trainings of these sort show users how to detect and defend against different styles of attacks.