After many years of silence, malware operators Zeus Sphinx (also known as Zloader or Terdot) resumed their activities in order to benefit from a coronavirus pandemic.
According to researchers from the IBM X-Force, Zeus Sphinx activity was discovered during March government campaigns to help fight the pandemic.It appears that, taking advantage of the current climate, Sphinx’s operators are setting their sights on those waiting for government relief payments”, — report IBM X-Force researchers.
The criminals organized phishing campaigns during which they distribute malicious files called “COVID 19 Relief“.
Criminals send emails to their victims, allegedly keeping the secrets of new methods of treating coronavirus, make phone calls on behalf of public utilities and banks affected by the pandemic, and distribute fake products for the prevention of coronavirus on online shopping sites.
As reported in emails, the victim can fill out the attached form and receive monetary compensation for staying at home and helping to combat the growing level of infection. After downloading and opening, a document presented as a .DOC or .DOCX file asks the user to enable macros, which, in turn, trigger the Zeus Sphinx payload by intercepting Windows processes.
Once the end-user accepts and enables these malicious macros, the script will start its deployment, often using legitimate, hijacked Windows processes that will fetch a malware downloader. Next, the downloader will communicate with a remote command-and-control (C&C) server and fetch the relevant malware — in this case, the new Sphinx variant. The maldoc is password-protected, likely to prevent analysis of the file before the recipient opens it”, — explain IBM X-Force specialists.
After installation on a Zeus system, Sphinx maintains persistence by dynamically writing itself to numerous files and folders, as well as creating registry keys. The malware also attempts to avoid detection by using a self-signed certificate.
The main feature of Zeus Sphinx is web injection. The malware modifies explorer.exe processes and the browser, including those used by Google Chrome and Mozilla Firefox, to extract financial information when a user visits the landing page (for example, an online banking platform).
According to experts, Zeus Sphinx lacks the process of flashing browsers. Therefore, if the browser receives an update, the malware web injection function stops working.
Cybercriminals of all types intensified during a pandemic: for example, even some maps of coronavirus distribution contain malware. However, some attackers try to be noble and do not attack medical facilities, but they are more exceptions than a rule.