The Zeus Sphinx Financial Malware upgrades with new features


Financial Malware Zeus Sphinx getting frequent updates with new Encryption keys and C2 setup

On Monday, IBM Security researcher Nir Shwarts said the company has been tracking the evolution of the malware which is based on the leaked codebase of the well-known Zeus v.2 Trojan.

What is Zeus Shinx Malware?

The Zeus Sphinx banking Trojan is financial malware that was built upon the existing and leaked codebase of the forefather of many other Trojans in this class: Zeus v2.0.8.9. Over the years, Sphinx has been indifferent hands, initially offered as a commodity in underground forums, and then suspected to be operated by various closed gangs.

After a lengthy hiatus, this malware began stepping up attack campaigns starting in late 2019 and increased its spreading power in the first quarter of 2020 via malspam featuring coronavirus relief payment updates.

With Sphinx back in the financial cybercrime arena, IBM X-Force wrote the following technical analysis of the Sphinx Trojan’s current version, which was first released into the wild in late 2019. We will be covering the following components, shedding light on parts of the malware that were modified in this version, as other parts likely remained the same:

  • Persistence mechanism
  • Injection tactics
  • Bot configuration
  • Hidden configuration nuggets
  • Bot identification method
  • Sphinx’s naming algorithms

According to IBM, the malware is now becoming more firmly entrenched by way of constant upgrades to improve its potency. Zeus Sphinx will also create a standalone process, named msiexec.exe to mimic a legitimate program, in an attempt to remain stealthy.

The Malware samples included a variant ID in “2020 Upgrade” named by Russia. The sample used a varied command-and-control (C2) server domain list and an RC4 key for botnet communication encryption purposes.

However, the new version of the malware includes smaller and different sets of C2s and different sets of RC4 Keys. Sphinx also uses a pseudo-random number generator (PRNG) named MT19937 to create a variance in file names and resources for each infected device to try and avoid detection by static scanning tools.

“While less common in the wild than Trojans like TrickBot, for example, Sphinx’s underlying Zeus DNA has been an undying enabler of online banking fraud,” IBM says. “Financial institutions must reckon with its return and spread to new victims amid the current pandemic.”


About Author

Be Ready for the challenge

Notify of
Inline Feedbacks
View all comments