Zeus Sphinx Banking Trojan is Revived Under the Guise of COVID-19 Assistance

The 5-year old malware variant has reared its ugly head once again after a three-year hiatus – this time attempting to take advantage of the need for COVID-19 financial assistance.

In the midst of a huge uptick in coronavirus-themed phishing and spear phishing attacks, it appears the those responsible for the Zeus Sphinx trojan have wiped off the dust and are looking to leverage the interest by individuals and businesses alike to gain access to the victim’s online banking. According to researchers an IBM X-Force, the trojan uses booby-trapped documents under the guise of COVID-29 assistance that launch a multi-step process to infect the victim’s endpoint with a web inject platform, called Tables, that has been around since 2014.

The intent of the malware is to collect logon credentials as users attempt to access online banking, sending them back for later use by their authors. The Tables platform uses banking site-specific code to make the user believe they are, indeed, logging onto their bank when they are instead compromising their credentials.

At a time when users are working from home, the future is uncertain, and everyone could use a little assistance, the offer of free monetary assistance is enough motivation to get potential victims to do as asked by the senders of phishing scams like these.

Organizations need to ensure that even while working remotely, users have a layered defense in place that includes scanning emails before they are sent to the user’s Inbox, protecting endpoints with AV, preventing malicious code from running using endpoint detection and response, and educating the user with Security Awareness Training to not fall for scams like these – regardless of the theming, promise made, or how tempting they appear to be.