The Bedel Security Blog

A New Generation of the Zeus Banking Trojan

Written by Brian Petzold | Apr 3, 2020

Researchers at IBM X-Force have noticed a new wave of email attacks using COVID-19 themes to target online banking credentials. These attacks use Malware called Sphinx, which is based on the Zeus banking trojan. Once installed on a PC, the malware waits for victims to visit an online banking site. Once a victim visits a banking site, the malware can collect credentials (including MFA responses) in real time. This access can then be used to access the victims’ bank account and transfer funds using any method available on the online banking site.

While Sphinx has existed since 2015, it has not been observed as being active in nearly three years. The new wave of attacks uses emails telling victims to fill out an attached form to receive COVID-19 relief from the government to infect a PC. Once a victim opens the attached Word file, they will see a asking them to allow a macro to run. If they permit this macro to run, the macro will install the malware on the PC. While this malware is currently targeting customers of large banks, past history tells us that it is only a matter of time before attackers turn their focus on smaller institutions.

Institutions should continue to educate customers to not open attachments in email messages unless they know the sender and are expecting the attachment, and to not trust any attachments or links in unsolicited messages related to COVID-19. If customers do click and are asked for permission to run a macro, they should close the document immediately and not click any farther. Customers should also make sure they are running a reputable anti-malware package on their PCs.

Institutions should also work closely with their Internet Banking Providers to ensure they implement controls designed to detect and block attacks from trojans such as Zeus Sphinx. These controls normally look at various factors (IP addresses, cookies, browser versions, etc.), looking for any indication that control of a session has transferred from a legitimate customer to an attacker.

Bedel Security regularly assesses new threats that may impact financial institutions so that our clients can proactively implement controls to protect their customer data. If you want to know about threats as they arise, email us at support@bedelsecurity.com.