Zeus Sphinx: What it is, how it works and how to prevent it | Malware spotlight
Introduction
When something is described as “rising from the ashes,” the mythological creature known as the phoenix normally comes to mind. For those that research malware, they may soon want to swap “phoenix” for “Zeus Sphinx.”
This malware used to be a persistent threat for banks and financial institutions in 2015 and seemingly died out. As of December 2019 (and especially after the COVID-19 pandemic), Zeus Sphinx has seen a marked resurgence and been observed taking advantage of the pandemic to spread its maliciousness.
Become a certified reverse engineer!
This article will detail the Zeus Sphinx malware with regard to its recent resurgence. We’ll explore what it is, how it works and how you can prevent becoming a victim yourself.
What is Zeus Sphinx?
Zeus Sphinx (also known as Zloader or Terdot) is not an amalgamation of two mythological creatures or the latest trendy crossover vehicle. Instead, it is a malware dating back to 2015. But just like a virus that won’t quit, Zeus Sphinx reappeared in December of 2019. This comeback was furthered by the COVID-19 crisis, where Zeus Sphinx used COVID-19 as a cover to induce users to download the malware.
When Zeus Sphinx first appeared, the malware was a banking Trojan that first targeted banks in the United States, later extending its reach to Canada and Brazil. After a brief hiatus, this malware slowly began reappearing in December 2019 with researchers concluding that the operators were testing the malware for future full-scale deployments. Beginning in March or April of 2020, Zeus Sphinx attacks increased significantly, with a few modifications and a tactic of exploiting the COVID-19 pandemic to target banks in North America.
The modifications observed in new versions of Zeus Sphinx are nothing to shake a sphinx’s tail at. IBM researchers have discovered that the malware has become more efficient at stealing both banking and financial information, which is the main purpose of the malware. It also sports a new command-and-control (C2) server infrastructure and new methods to maintain persistence during an attack.
These enhanced functionalities, combined with the use of COVID-19 as an abuse of trust of potential victims, reinforce the warning that a recent IBM report has stated about the malware — that financial institutions must reckon with the return of Zeus Sphinx as well as new potential victims.
How does Zeus Sphinx work?
Built upon the Zeus v2.0.8.9 codebase, this malware gains entry onto a system by way of phishing and spam campaigns. This resurgence of Zeus Sphinx relies heavily upon the trust factor involved with emails and attachments that reference COVID-19.
A frequently used malicious document name that has snared users recently is “COVID-19 relief”. This angle that operators of Zeus Sphinx have taken has led researchers to believe that these new Zeus Sphinx attack campaigns are preying upon users’ expectation of receiving COVID-19 relief payments from the federal government. This keeps in line with a whole host of other malware in the wild that are taking advantage of this crisis. In fact, the use of COVID-related spam campaigns has jumped 6,000% since the beginning of 2020.
Zeus Sphinx has been observed tricking users with a malicious form that asks users to insert personal data so they can receive their money. (Please be aware that the government will never ask you to submit personal information to receive a COVID-19 relief payment.) When the user accepts the malicious macros in the file, the malware begins its deployment and the malware downloader is fetched. They enhance the effectiveness of this malicious document, as it is password-protected so users cannot analyze the file.
After being implanted onto a computer, the malware adds a Windows Registry run key as either a dynamic link library file or a malicious executable to aid in persistence. Zeus Sphinx increases its persistence ability by creating a file called msiexec.exe, which helps hide its activity from security scans and tools. It is also known to deploy browser injection and hooking techniques to further steal personal information from users. An example of this is in-session browser popups requesting personal information that can help attackers steal financial and bank card data.
Another significant upgrade to Zeus Sphinx since its last run through the wild is an RC4 encryption key for communication with the command-and-control server. This allows for more stealthy communications with this server during attacks and also allows attackers to use the infected device in a botnet.
How to prevent Zeus Sphinx
Luckily, you can do quite a bit to prevent Zeus Sphinx from infecting your (or your organization’s) system. Below is a list of recommendations that even those who are not the most information security-savvy can do to prevent it:
- Use a respected internet security solution
- Ensure that your system and software is updated
- Be cautious when clicking on unknown links and if possible, confirm that the link is sent from a party you know
- Communicate to your organization the importance of keeping your cybersecurity awareness elevated during this crisis. try to incorporate examples of COVID-19 phishing and spam emails in your organization’s cybersecurity awareness program
Conclusion
Zeus Sphinx has made a resurgence since December 2019. Once the COVID-19 pandemic took off, Zeus Sphinx began taking advantage of the situation and using the cover of the crisis to spread itself to potential victims.
Despite it being a more effective threat than its first time around, you can prevent infection by using standard cybersecurity awareness and by not getting tricked by those who will exploit a medical emergency for the sake of ill-gotten gain.
Sources
- Enhanced Zeus Sphinx Trojan Used in COVID-19 Schemes, BankInfoSecurity Blog
- Sphinx Malware Returns to Riddle U.S. Targets, Threatpost
- Zeus Sphinx Rises Back From the Ashes, Cyware Social
- Exam Pass Guarantee
- Live expert instruction
- Hands-on labs
- CREA exam voucher
In this Series
- Zeus Sphinx: What it is, how it works and how to prevent it | Malware spotlight
- How AsyncRAT is escaping security defenses
- Chrome extensions used to steal users' secrets
- Luna ransomware encrypts Windows, Linux and ESXi systems
- Bahamut Android malware and its new features
- LockBit 3.0 ransomware analysis
- AstraLocker releases the ransomware decryptors
- Analysis of Nokoyawa ransomware
- Goodwill ransomware group is propagating unusual demands to get the decryption key
- Dangerous IoT EnemyBot botnet is now attacking other targets
- Fileless malware uses event logger to hide malware
- Nerbian RAT Using COVID-19 templates
- Popular evasion techniques in the malware landscape
- Sunnyday ransomware analysis
- 9 online tools for malware analysis
- Blackguard malware analysis
- Behind Conti: Leaks reveal inner workings of ransomware group
- ZLoader: What it is, how it works and how to prevent it | Malware spotlight [2022 update]
- WhisperGate: A destructive malware to destroy Ukraine computer systems
- Electron Bot Malware is disseminated via Microsoft's Official Store and is capable of controlling social media apps
- SockDetour: the backdoor impacting U.S. defense contractors
- HermeticWiper malware used against Ukraine
- MyloBot 2022: A botnet that only sends extortion emails
- Mars Stealer malware analysis
- How to remove ransomware: Best free decryption tools and resources
- Purple Fox rootkit and how it has been disseminated in the wild
- Deadbolt ransomware: The real weapon against IoT devices
- Log4j - the remote code execution vulnerability that stopped the world
- Rook ransomware analysis
- Modus operandi of BlackByte ransomware
- Emotet malware returns
- Mekotio banker trojan returns with new TTP
- Android malware BrazKing returns
- Malware instrumentation with Frida
- Malware analysis arsenal: Top 15 tools
- Redline stealer malware: Full analysis
- A full analysis of the BlackMatter ransomware
- A full analysis of Horus Eyes RAT
- REvil ransomware: Lessons learned from a major supply chain attack
- Pingback malware: How it works and how to prevent it
- Android malware worm auto-spreads via WhatsApp messages
- Malware analysis: Ragnarok ransomware
- Taidoor malware: what it is, how it works and how to prevent it | malware spotlight
- SUNBURST backdoor malware: What it is, how it works, and how to prevent it | Malware spotlight
- ZHtrap botnet: How it works and how to prevent it
- DearCry ransomware: How it works and how to prevent it
- How criminals are using Windows Background Intelligent Transfer Service
- How the Javali trojan weaponizes Avira antivirus
- HelloKitty: The ransomware affecting CD Projekt Red and Cyberpunk 2077
- DreamBus Botnet: An analysis
- Kobalos malware: A complex Linux threat
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Malware analysis
Malware analysis
Malware analysis
Malware analysis