Home Articles The Return of the Zeus Sphinx Banking Trojan

The Return of the Zeus Sphinx Banking Trojan


The Zeus Sphinx banking Trojan has once again returned to the virtual world. Read on to know more about it…

The Zeus Sphinx banking trojan has once again returned to the virtual world. The banking trojan has recently seen a revival in the US. It has been upgraded and one of its new lures includes COVID-19 spam. This financial malware was built upon the codebase of other trojans in the same class: Zeus v2.0.8.9.

Zeus Sphinx used to be initially offered as a commodity malware in underground forums. However, it is suspected to be operated by various closed groups. Although the re-emergence was in December last year, the trojan spiked in March via coronavirus themed malspam. Since April, the malware has been attacking US targets.

New Features and Functionality
The operators behind the Zeus Sphinx malware have added new features and functionality to the Trojan over the last several months, and more cybercriminals have deployed it within phishing and spam emails that use the COVID-19 crisis as a lure, according to researchers at IBM X-Force.

The modifications to the Zeus Sphinx Trojan include an updated command-and-control server infrastructure as well as new methods to help the malware maintain persistence within an infected device, IBM researchers say. The Trojan has become more efficient at stealing banking and financial data – its main purpose, they point out.

Modus Operandi
Zeus Sphinx establishes persistence by adding a Run key to the Windows Registry. This ensures that the malware survives system reboot. The trojan’s core capability is to gain online account credentials for online banking websites, along with some other services. After victims land on a targeted bank portal, web injections are fetched from the C2 server to modify the page. The information entered by the victim is then harvested by the attackers.

Working Mechanism
The Zeus Sphinx banking trojan has been designed to hook into browser functions. Zeus Sphinx signs the malicious code using a digital certificate that validates it. The attackers have taken advantage of the current pandemic and set their sights on government relief payments.

As per researchers, “Once infected by Sphinx, every device sends information home and is defined in the botnet by a bot ID to ensure control and updates through the attacker’s server.” It has been explained by experts that while Zeus Sphinx is not as ubiquitous as other trojans such as TrickBot, its codebase has always been a constant enabler of banking frauds.

Use caution while clicking on links to unknown websites.

• Use comprehensive security to safeguard your credentials.
• Update your systems and software.
• Deploy a vulnerability scan to detect existing security gaps.
• Use traffic filters.

Although Zeus Sphinx started out by attacking North American targets, it has spread to other parts of the world, including the UK, Brazil, and Australia. The most recent attacks were conducted on users in Japan. However, the operators have refocused on the US to target government relief payments.


Please enter your comment!
Please enter your name here

− 2 = 1