Zeus Sphynx malware targets banking activities, deploy malicious email attachments in an attempt to exploit the uncertainties of Coronavirus, with COVID-19 concept phishing.
The newly upgraded Zeus Sphynx malware re-appeared in December 2019 but became more visible distributing itself via spam emails by centering its malicious activity around the coronavirus pandemic between March and April 2020.
The malware has been targeting mostly banking details of individuals in the US that have been offered relief payments from their government but has also been reported to have struck banks in countries like Australia and Canada after resurfacing from the dark web according to Limor Kessem and Nir Shwarts of IBM X-Force Security.
Various spam emails have been flying around claiming to have cures for the novel coronavirus, phony phone calls, and text messages have also been reported masquerading as government agencies with numbers of victims of these scam reported to have climbed above 723, 000 since the beginning of the recent pandemic.
More About The Zeus Sphynx Malware
Sphynx malware is a password-protected malicious document named “COVID 19 Relief.doc” was created to infect Sphinx banking trojan through email phishing and then uses its macron features to strick the victim’s computer, infecting the victim’s bank’s sphinx trojan once any of its dangerous email attachment is opened (Which is mostly in the form of DOC. Or DOCX file formats).
Zeus Sphynx is a modular malware designed after the source code of the leaked popular Zeus banking trojan has upgraded its latest version with features like web injects which it uses to secretly patch legitimate browsers just to extract sensitive credentials like passwords, credit and debit cards, social security numbers and other vital details from visitors of bank websites.
This malware code can also hijack windows processes, then installs a malware downloader called “kofet.dll”, once successfully installed, Kofet.dll then fetches the final payload from the systems’ C2C server. The malware then builds its presence in a fully hijacked system by modifying the system’s window registry, thereby injecting malicious data into %APPDATA% and other relevant files.
According to IBM, it’s unlikely for Zeus Sphynx malware and its web injection to survive long having been discovered that it has a flaw of the inability to repatch any inflicted browser once the browser upgrades.