After being discovered in 2015 targeting US banks, the Zeus Sphinx banking malware (also known as Zloader or Terdot) was only observed in a few campaigns over the last five years. The malware is back now, again targeting US banks and more recently being used in ongoing COVID-19 scams. IBM discovered some of the campaigns in March that used Zeus Sphinx in phishing documents that were spread through email and made to look like information regarding coronavirus relief funds. The malware makes its way onto a machine through an attachment that will ask the victim to enable macros. A Run key is added to the Windows registry (under Software\Microsoft\Windows\CurrentVersion\Run) after the malware is deployed to automatically run the malware’s executable or malicious Dynamic Link Library (DLL) whenever the victim computer restarts. Zeus Sphinx has been created to steal credentials including banking details or account usernames and passwords for online banking services. Browser injection techniques are used to make this happen. Inserting malicious code into explorer.exe and browser processes allows for victims to be redirected to fraudulent domains when they attempt to visit financial websites. New RC4 encryption keys, a smaller set of Command and Control (C2) servers and a new variant ID have all been adopted by the malware as well. It will also attempt to avoid detection by static scanning tools by using a pseudo-random number generator to change file names and resources for each infection.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in