#Privacy: Banking Trojan resurfaces amidst global pandemic

Following a three year hiatus, the Zeus Sphinx banking Trojan is back, appearing in a coronavirus-themed phishing campaign.

First seen in August 2015, Sphinx is based on the leaked source of the Zeus banking trojan. IBM X-Force researchers Amir Gandler and Limor Kessen explained that Sphinx’s main capability is to harvest online banking credentials. 

Following a three-year break, Sphinx is now capitalising on the growing concerns and fears surrounding COVID-19, and has launched a phishing campaign. 

“While some Sphinx activity we detected trickled in starting December 2019, campaigns have only increased in volume in March 2020, possibly due to a testing period by Sphinx’s operators,” the researchers explained in a blog post. 

“It appears that, taking advantage of the current climate, Sphinx’s operators are setting their sights on those waiting for government relief payments.”

The campaign features a “booby-trapped” document named “COVID-19 relief”, and similar to previous campaigns, the operators behind Sphinx are targeting major banks from the US to Australia. 

The phishing email asks victims to fill out an attached form in order to receive monetary compensation for having to stay at home. 

The document first requests the user to enable macros, to which once enabling the macro, “the script will start its deployment, often using legitimate, hijacked Windows processes that will fetch a malware downloader.”

The downloader will communicate with a remote C&C server and collect the Sphinx variant. Once on the device, the Trojan “writes numerous folders and files to disk and adds some Registry keys in order to hide itself and manage its configuration files over time.” 

“To carry out web injections, the malware patches explorer.exe and browser processes iexplorer.exe/chrome.exe/firefox.exe but doesn’t have the actual capability of repatching itself again if that patch is fixed, which makes the issue less persistent and unlikely to survive version upgrades,” the researchers discovered. 

Sphinx uses a web-based control panel for web injects, which will download files designed to look like the websites of the victims’ banks, in order for the injections to be convincing. Victims are then tricked into entering their credentials and authentication codes in forms that are controlled by the attackers. 

Last week, the FBI’s Internet Crime Complaint Center (IC3) issued a public service announcement warning of fraud schemes related to the COVID-19 pandemic, explaining that threat actors are now capitalising on the pandemic with the aim of stealing money and/or personal information. 

Many of these scams included emails claiming to be from the Centers of Disease Control and Prevention (CDC), the World Health Organisation (WHO) or other organisations offering information about the virus.


Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/