COVID-19 , Cybercrime , Fraud Management & Cybercrime

Enhanced Zeus Sphinx Trojan Used in COVID-19 Schemes

Researchers Say New Features and Functionality Added
Enhanced Zeus Sphinx Trojan Used in COVID-19 Schemes
Photo: Robert Smith via Flickr/CC

The operators behind the Zeus Sphinx malware have added new features and functionality to the Trojan over the last several months, and more cybercriminals have deployed it within phishing and spam emails that use the COVID-19 crisis as a lure, according to researchers at IBM X-Force.

See Also: How to Build Your Cyber Recovery Playbook

The modifications to the Zeus Sphinx Trojan include an updated command-and-control server infrastructure as well as new methods to help the malware maintain persistence within an infected device, IBM researchers say. The Trojan has become more efficient at stealing banking and financial data - its main purpose, they point out.

"Zeus Sphinx primarily targets online banking accounts, and over time, it has the capability to steal various credentials used by a victim - their personal data, payment card data and more," Limor Kessem, IBM Security’s executive security adviser, tells Information Security Media Group.

And while the Zeus Sphinx variant has been around for at least five years, in recent months, cybercriminals have been relying on it to help with a variety of scams with COVID-19 themes.

"While less common in the wild than Trojans like TrickBot, for example, Sphinx's underlying Zeus DNA has been an undying enabler of online banking fraud," according to the IBM report released Monday. "Financial institutions must reckon with its return and spread to new victims amid the current pandemic."

In March, IBM and security firm FireEye warned in separate reports that a number of phishing and spam campaigns using the U.S. government stimulus program as a lure were spreading the Zeus Sphinx Trojan, which is also known as SilentNight, Zloader and Terdot (see: Phishing Campaigns Leverage Latest COVID-19 Themes).

And while attacks using Zeus Sphinx are ongoing, Kessem notes that the most recent major campaign using the Trojan was detected in April.

Zeus Sphinx Modifications

Zeus Sphinx is a variant of the source code used to create the original Zeus banking Trojan, which had its heyday in the early 2010s. At some point, that code was "open sourced," and a number of malware variants appeared (see: Zeus Banking Trojan Spawn: Alive and Kicking).

Zeus Sphinx faded into disuse until recently, when its operators began making modifications, according to the IBM researchers. The growth of phishing campaigns with COVID-19 themes led to more widespread use of the malware.

In most cases, Zeus Sphinx is hidden within a malicious attachment, usually a Word document, that accompanies a phishing or spam email sent to a victim. If the target opens the attached file, macros are enabled that allow the Trojan to implant itself within a device, according to IBM.

The Trojan then adds a run key to the Windows Registry in the form of either an executable or as a malicious dynamic link library file, which helps the malware persist within an infected device, IBM notes. The malware also creates a standalone file, called msiexec.exe, to help disguise its activity from security tools and scans.

In the new versions of Zeus Sphinx, the IBM researchers note, the operators have updated the domains used with its command-and-control server. In addition, the malware now uses an upgraded version of its RC4 encryption key for communication purposes, which also gives it the ability to create a botnet using other infected devices.

The Trojan also now includes a pseudo-random number generator, or PRNG, named MT19937. This creates random file names and other resources within an infected device to help disguise malicious activity from security tools, IBM researchers say.

The Zeus Sphinx Trojan continues to deploy browser injection techniques, using this malicious code to steer victims to domains controlled by the attackers in order to steal financial and other data, IBM notes.

"It is known for being effective at hooking browsers, stealing user credentials on the fly, and injecting in-session pop-ups to trick victims into divulging additional information that can help the attackers steal money from their bank accounts or payment cards," Kessem says.

Other Trojans

While the COVID-19 pandemic has helped revive Zeus Sphinx, researchers from IBM, Microsoft and other security firms have found that the TrickBot malware appears to be the Trojan of choice for most cybercriminals; it's being deployed in more spam and phishing emails (see: COVID-19 Phishing Emails Mainly Contain TrickBot: Microsoft).

"Since March 11, when COVID-19 was declared a pandemic, IBM X-Force has observed a more than 6,000% increase in COVID-19-related spam," Kessem says. "And these campaigns run the gamut, with cybercriminals impersonating major banks, offering up vaccines, deploying communications related to stimulus relief funds, and attempting to gain access to bank accounts."

Managing Editor Scott Ferguson contributed to this report.

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.