430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Zeus Sphinx spam campaign attempt to exploit Coronavirus outbreak

The Zeus Sphinx malware is back, operators are now spreading it exploiting the interest in the Coronavirus outbreak. The Zeus Sphinx malware is back, it was observed in a new wave of attacks attempting to exploit the interest in the Coronavirus outbreak. Experts from IBM X-Force uncovered a hacking campaign employing the Zeus Sphinx malware, […]

coronavirus zeus sphinx campaign

The Zeus Sphinx malware is back, operators are now spreading it exploiting the interest in the Coronavirus outbreak.

The Zeus Sphinx malware is back, it was observed in a new wave of attacks attempting to exploit the interest in the Coronavirus outbreak.

Experts from IBM X-Force uncovered a hacking campaign employing the Zeus Sphinx malware, as known as Zloader or Terdot, that focus on government relief payments. 

The Zeus Sphinx malware was first observed on August 2015, a few days after a new variant of the popular Zeus banking trojan was offered for sale on hacker forums,

Now the Zeus Sphinx malware is back, operators are spreading it in a spam campaign aimed at stealing victims’ financial information.

Spam messages sent to the victims claim to provide information related to the Coronavirus outbreak and government relief payments

“Current malspam campaigns feature booby-trapped document files named “COVID 19 relief” and subject lines relying on the same theme. Sphinx’s targets have not changed from its past configuration files as it continues to focus on banks in the US, Canada, and Australia.” reads the analysis published by IBM Z-Force.

The Zeus Sphinx variant used in the recent Coronavirus-themed campaign is only slightly different than the original. 

Spam emails include a form, in an MS Word format, that must be filled out to receive funds to help people that now are at home due to the COVID 19 pandemic. The document is password-protected, likely to prevent analysis before it is received by the potential victim, the password is included in the content of the email.

Once opened, the document displays a message to instruct victims in enabling macros to view the content, unfortunately this action start the infection process.

“Once the end user accepts and enables these malicious macros, the script will start its deployment, often using legitimate, hijacked Windows processes that will fetch a malware downloader.” continues the post.”Next, the downloader will communicate with a remote command-and-control (C&C) server and fetch the relevant malware — in this case, the new Sphinx variant.”

Zeus Sphinx gains persistence by dynamically writing itself to numerous files and folders, it also created registry keys for the same purpose.

Sphinx signs the malicious code using a digital certificate, a common evasion technique, when injected into the browser processes.

Experts observed that web injections are in some cases still based on the Zeus v2 codebase. Zeus Sphinx will patch processes associated to Explorer and common browsers, including Chrome and Mozilla Firefox. In this way, the malicious code is triggered when a user visits a target page, such as an online banking platform.

“As a modular banking Trojan that’s based on the dated Zeus v2 code, Sphinx’s core capability is to collect online account credentials from banks and a wide range of other websites.” continues the post. “It calls on its C&C server to fetch relevant web injections when infected users land on a targeted page and uses them to modify the pages users are browsing to include social engineering content and trick them into divulging personal information and authentication codes.”

Experts pointed out that if a browser pushes an update, the web injection function will likely not “survive.”

The report published by IBM X-Force also provided technical details about the threat, including IoCs.

Unfortunately, the number of COVID19-themed attacks continue to increase, if you are interested to receive info about the attacks observed in the last week give a look at:

https://securityaffairs.co/wordpress/100698/breaking-news/coronavirus-themed-attacks-march-22-march-28-2020.html
[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Zeus Sphinx Trojan, Coronavirus)

[adrotate banner=”5″]

[adrotate banner=”13″]