A Banking Trojan is Back Because of COVID-19

A Banking Trojan is Back Because of COVID-19

COVID-19 is currently the most common and popular topic in cyberattacks. Recently, the Zeus Sphinx banking Trojan program has been engaged in phishing activities with the theme of coronavirus after three years of silence and now has returned to people’s attention. Zeus Sphinx (also known as Zloader and Terdot) is a piece of malware that was originally discovered in August 2015. The attack was based almost entirely on the Zeus v2 Trojan leaks Source code. Subsequently, this malware spread worldwide.

These injections used social engineering to persuade infected users to distribute identity verification code and credentials. The ongoing Zeus Sphinx campaign uses phishing emails to launch attacks. The emails contained malicious files that were disguised as files with government relief payment information. Similar to the previous events, operators of Zeus Sphinx are still staring at large banks in the United States, Canada, and Australia. Attackers require a potentially infected user to fill out a request form in the form of DOC or DOCX documents and declare that the request form is secure, and it will allow them to receive relief payments.

Once these malicious documents are opened on the target computer, they will require enabling macros, installing a malicious downloader, and obtaining the final payload from a remote C&C server, after which the device will be infected with a Sphinx banking Trojan. After infecting the user’s system, Sphinx adds several registry keys and writes the data to the folder created under% APPDATA%, so it can exist for a long time and save its configuration. This malware use web injection to change the bank’s website to trick users into entering their personal credentials and authentication code. During the COVID-19 outbreak, there are many malware attacks relating to this topic. Sphinx was just one of them. FBI’s Internet Crime Complaint Center (IC3) warned that phishing campaigns are using fake government economic stimulus measures to steal personal information from victims. In order to avoid being infected with malware or stealing personal information, IC3 suggests that:

  • DO NOT click links or open attachments sent by unknown people;
  • Ensure that the URLs accessed in the browser are legitimate;
  • Enter the website by entering the URL instead Instead of clicking directly on the embedded hyperlink address in the email;
  • DO NOT provide sensitive personal information such as user credentials and various financial data when receiving sales calls or emails.

LIFARS’ Experts leverage the latest data analytics algorithms based on the Tactics, Techniques, and Procedures (TTP) that attackers are known to use while utilizing Machine Learning, Artificial Intelligence, Behavioral Forensic Artifacts, and Threat Intelligence to detect ongoing or zero-day cyberattacks and Advanced Persistent Threats (APTs) and leveraging the latest IOCs to identify the probability of an enterprise compromise. Cyber Threat Hunting is an essential exercise to proactively investigate potential compromises, detect advanced threats, and improve cyber defenses. We orchestrate an exhaustive and iterative process with purpose-built tools to conduct manual and semi-automated series of searches for Indicators of Compromise (IOC) and Initial Vectors of Compromise (IVOC).



Contact LIFARS Immediately For

Our Cyber Threat Hunting Service