The Zeus Sphinx banking trojan is back after being off the scene for nearly three years. According to cyber researchers at IBM X-Force, Sphinx (a.k.a. Zloader or Terdot) began resurfacing in December 2019. However, the researchers observed a significant increase in victims in March 2020, as Sphinx's operators looked to take advantage of the interest and news of the government relief payments for businesses and individuals.
First seen in August 2015, Sphinx is a modular malware based on the leaked source code of the infamous Zeus banking Trojan. Like other banking trojans, Sphinx's core capability is to harvest online account credentials for online banking, brokerage, and eCommerce sites where bank account and credit card numbers are used. When infected users land on a targeted online banking portal, Sphinx dynamically fetches web injections from its command-and-control (C2) server to modify the page that the user sees, so that the information that the user enters into the log-in fields is sent to the cybercriminals.
To take advantage of current events, Sphinx is joining the growing force of COVID-19-themed phishing and malspam campaigns ramping up worldwide. In the March 2020 campaigns, the emails tell targets that they need to fill out an attached form to receive coronavirus relief from the government. This scam is one of the countless COVID-19 attacks perpetrated by criminals. In the latest campaigns, Sphinx is spreading via coronavirus-themed email sent to victims in the US, Canada, and Australia, housed in malicious attachments named "COVID 19 relief."
Red Sky Alliance has previously observed the Russian group Du5-Dark Underground Syndicate selling this malware for as little as $500. Despite sales and support for Sphinx being discontinued, according to the authors, it is still popularly used, and cracked versions are now circulated in novice hacker forums.
According to cyber threat investigators, Microsoft Office programs are being used, the majority being .doc or .docx files. These documents first request the user to enable macro execution, unknowingly triggering the first step of the infection chain. Once the end-user enables these macros, the script will start its deployment, often using legitimate, hijacked Windows processes that will fetch a malware downloader. Next, the downloader will communicate with a remote command-and-control (C2) server and fetch the relevant malware and in this case, the new Sphinx variant.
Once the Sphinx macros are enabled, the document creates a malicious folder under %SYSTEMDRIVE% and writes a batch file into it, the researchers explained in their analysis. The malware then executes this batch file and then writes a VBS file to the same folder. Next, it uses a legitimate WScript.exe process to execute the VBS file, which creates a communication channel with the C2 server. After that, it downloads a malicious executable in the form of a DLL library file. This malicious DLL is the core Sphinx executable, which is also written to the folder under %SYSTEMDRIVE%.
Sphinx itself is then executed using the Regsvr32.exe process. Initially, the malware creates a hollow process, msiexec.exe, and injects its code into it. This same step was used by older versions of Sphinx for deployment. It creates the first folder under %APPDATA% and creates an executable file in it. Later, it will change the extension to 'DLL' for persistence purposes.
Sphinx signs the malicious code using a digital certificate that validates it, making it easier to stay under the radar of common antivirus (AV) tools when injected to the browser processes. The malware variant used is only slightly different than previous samples seen in older campaigns, according to the researchers. For instance, the malware creates a run key in the Registry, so that the DLL is triggered using the Regsrv32.exe process. The malware also creates two Registry hives under HKCU\Software\Microsoft\, each one containing one key that holds a part of its configuration.
Coronavirus-themed campaigns continue to roll out. These include malware attacks, booby-trapped URLs, and credential-stuffing scams. APT groups have been eyeing the pandemic as a lure for spreading data exfiltration malware, particularly with more businesses moving to a work from the home model in response to the virus.
Red Sky Alliance has been analyzing and documenting cyber threats for 8 years and maintains a resource library of malware and cyber actor reports. The installation, updating, and monitoring of firewalls, cybersecurity, and proper employee training are keys to cyber prevention success. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.
What can you do to protect your organization better today?
- All data in transmission and at rest should be encrypted.
- Proper data back-up and off-site storage policies should be adopted and followed.
- Institute cyber threat and phishing training for all employees, with testing and updating.
- Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
- Ensure that all software updates and patches are installed immediately.
- Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories, including Keyloggers, with having to connect to your network.
- Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.
Red Sky Alliance is in New Boston, NH USA, and is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 888-RED-XRAY or (888)-733-9729, or email firstname.lastname@example.org