After years of inactivity, Zeus Sphinx malware is resurrected to take advantage of the coronavirus pandemic in a new wave of fraud.
Emails claiming to know the secret to new treatments, messages and phone calls from hackers who pretend to be utilities and banks affected by respiratory disease, as well as counterfeit products that prevent coronavirus infection are just some of them. examples of fraud. So far, the fraud on the occasion of the coronation that has been registered reaches 723.000.
Any crisis that could benefit the interest of cybercriminals and fraudsters is increasing, and now, a malware that has been absent for almost three years, has started circulating again.
On Monday, the IBM X-Force said the Zeus Sphinx - also known as Zloader or Terdot - has been spotted in campaigns launched in March focusing on state aid.
Zeus Sphinx was first detected in August 2015. Malware appeared as banking Trojan with basic code elements based on Zeus v2. The malware targeted financial institutions throughout United Kingdom, The Australia, Brazil and USA. And now, Zeus Sphinx has re-emerged with emphasis on the same countries through a new coronavirus campaign.
The researchers said that Zeus Sphinx is spreading through phishing campaigns loaded with malicious files called "COVID 19 relief". The emails claim that a form must be completed in order to receive an allowance while you are home and not working.
The attached form, mainly either the .DOC or .DOCX file formats, uses a standard technique to obtain a base / support in a system. If you download it and open it, document asks you to enable macros, which in turn activate the Zeus Sphinx payload after hijacking their processes. Windows and one connected command-and-control (C2) server that hosts the malware.
Once installed on a compromised machine, Zeus Sphinx works consistently and persistently, writing dynamically across multiple files and folders, as well as creating registry keys. The malware also tries to avoid detection as malware by using a self-signed certificate.
Web injections are a malware specialty and in some cases still rely on Zeus v2 code. Zeus Sphinx will fix explorer.exe and its processes browser Including those used by Google Chrome and Google Chrome Mozilla Firefox - to receive injections when a user visits a targeted page, such as an online banking platform. The code modifies these pages to trick them into delivering authentication details, which are then collected and sent to the malware C2.
However, the Zeus Sphinx contains an inherent flaw, in which there is no process for browser repatching. Therefore, if a browser launches an update, IBM says that web injection is "unlikely to survive."
The campaign is ongoing and is just one of many.
Thousands of dangerous COVID-19 domains have emerged in recent weeks, and in some cases, cybercriminals they use interesting methods to deceive the victims in order to visit these websites. Bitdefender researchers recently discovered that D-Link and Linksys routers have been attacked and DNS settings they are being edited in order to trick the victims into visiting a website dealing with coronavirus but carrying malware.