# Banking Malware Spreading via COVID-19 Relief Payment Phishing

**[bleepingcomputer.com/news/security/banking-malware-spreading-via-covid-19-relief-payment-phishing/](https://www.bleepingcomputer.com/news/security/banking-malware-spreading-via-covid-19-relief-payment-phishing/)**

Sergiu Gatlan

By
[Sergiu Gatlan](https://www.bleepingcomputer.com/author/sergiu-gatlan/)

March 30, 2020
04:53 PM
0

The Zeus Sphinx banking Trojan has recently resurfaced after a three years hiatus as part of
a coronavirus-themed phishing campaign, the most common theme behind most attacks by
far during the current pandemic.

Zeus Sphinx (also known as Zloader and Terdot) is a malware strain that was initially spotted
back in August 2015 when its operators used it to attack several British financial targets and
it is almost entirely based on the Zeus v2 Trojan's [leaked source code (just as](http://web.archive.org/web/20110719121544/http://www.csis.dk/en/csis/blog/3229/) [Zeus Panda](https://www.bleepingcomputer.com/tag/zeus-panda/)
[and Floki Bot).](https://securityintelligence.com/news/floki-bot-funny-name-financial-nightmare/)

[This malware was later used in attacks targeting banks from all over the globe, from](https://securityintelligence.com/around-the-world-with-zeus-sphinx-from-canada-to-australia-and-back/)
Australia and Brazil to North America, attempting to harvest financial data via web injections
that make use of social engineering to convince infected users to hand out auth codes and
credentials.

## Back after a three-year break

The ongoing Zeus Sphinx campaign uses phishing emails that come with malicious
documents designed to look like documents with information on government relief payments.


-----

While some Sphinx activity we detected trickled in starting December 2019, campaigns
have only increased in volume in March 2020, possibly due to a testing period by Sphinx’s
operators," as IBM X-Force researchers Amir Gandler and Limor Kessem found.

"It appears that, taking advantage of the current climate, Sphinx’s operators are setting their
sights on those waiting for government relief payments."

**Phishing email sample (IBM X-Force)**
Just as they did in previous campaigns, Sphinx's operators are still focusing their efforts on
targets using major banks from the US, Canada, and Australia.

The attackers ask the potential victims to fill out a password-protected request form delivered
in the form of a .DOC or .DOCX document. After submission, this should allow them to
receive relief payments designed to help them out while staying at home.

Once opened on the targets' computer, these malicious documents will ask for macros to be
enabled and infect them with the Sphinx banking Trojan after installing a malware
downloader that fetches the final payload from a remote command-and-control (C&C) server.

After the victims' systems are compromised, Sphinx gains persistence and saves its
configuration by adding several Registry keys and writing data in folders created
under %APPDATA%.


-----

**Registry entry created to gain persistence (IBM X-Force)**
"To carry out web injections, the malware patches explorer.exe and browser processes
iexplorer.exe/chrome.exe/firefox.exe but doesn’t have the actual capability of repatching itself
again if that patch is fixed, which makes the issue less persistent and unlikely to survive
[version upgrades," the researchers also discovered.](https://securityintelligence.com/posts/zeus-sphinx-trojan-awakens-amidst-coronavirus-spam-frenzy/)

Sphinx uses Tables web-based control panels for web injects and it will download custom
files designed to match the websites of the victims' banks for the injections to be as
convincing as possible.

The malware uses the web injects to alter the banks' websites to trick the victims into
entering their credentials and authentication codes in forms that will exfiltrate the information
to attacker-controlled servers.

## One of many

This campaign is just one of an increasing number of others that try to exploit the COVID-19
[pandemic by stealing sensitive information and infecting their targets with malware.](https://www.bleepingcomputer.com/tag/malware/)

For instance, in somewhat related news, FBI's Internet Crime Complaint Center (IC3) warned
[that a phishing campaign was using fake government economic stimulus checks to steal](https://www.bleepingcomputer.com/news/security/fbi-warning-phishing-emails-push-fake-govt-stimulus-checks/)
personal info from victims.

To avoid getting scammed, infected with malware, or have your information stolen,
IC3 recommends not clicking on links or opening attachments sent by people you don't know,
as well as to make sure that the sites you visit are legitimate by typing their address in the
browser instead of clicking hyperlinks embedded in emails.

You should also never provide sensitive info like user credentials or any type of financial data
when asked as part of a telemarketing call or over email.

### Related Articles:

[Microsoft disrupts Zloader malware in global operation](https://www.bleepingcomputer.com/news/security/microsoft-disrupts-zloader-malware-in-global-operation/)


-----

[New ERMAC 2.0 Android malware steals accounts, wallets from 467 apps](https://www.bleepingcomputer.com/news/security/new-ermac-20-android-malware-steals-accounts-wallets-from-467-apps/)

[PDF smuggles Microsoft Word doc to drop Snake Keylogger malware](https://www.bleepingcomputer.com/news/security/pdf-smuggles-microsoft-word-doc-to-drop-snake-keylogger-malware/)

[Historic Hotel Stay, Complementary Emotet Exposure included](https://www.bleepingcomputer.com/news/security/historic-hotel-stay-complementary-emotet-exposure-included/)

[FluBot Android malware targets Finland in new SMS campaigns](https://www.bleepingcomputer.com/news/security/flubot-android-malware-targets-finland-in-new-sms-campaigns/)


-----