Home
Threat Intelligence Posts

Zeus Sphinx banking Trojan masquerades as relief payment

Yet another attempt to cash in on the fears of Coronavirus, with COVID-themed phishing. Zeus Sphynx targets banks, delivers malicious email attachments.
Updated on
February 27, 2023
Published on
April 3, 2020
Read time
5
Subscribe to the latest industry news, technologies and resources.

The Carrier

The Malware

  • The malicious code hijacks Windows processes to fetch a malware downloader (kofet.dll).
  • The downloader then fetches the final payload from C2C. After the system is fully compromised, the malware establishes persistence by modifying Windows registry, and injecting malicious data to %APPDATA% and other folders.

The Risk

  • Sphinx targets major banks in the U.S., Canada, and Australia.
  • The malware uses web injects by patching legitimate browsers, to capture sensitive information such as credit card, debit card details, passwords, personal information, in the event that victims visit banking websites.

File details

Maldoc:
DFF2E1A0B80C26D413E9D4F96031019CE4567607E0231A80D0EE0EB1FC
Sphinx samples:     
  • C8DFF758FEB96878F578ADF66B654CD7
  • 70E58943AC83F5D6467E5E173EC66B2
  • 7CA44F6F8030DF33ADA36EB35649BE71
  • 8A96E96113FB9DC47C286263289BD667
  • C6D279AC30D0A60D22C4981037580939
VBS sample
  • 2FC871107D46FA5AA8095B78D5ABAB78

Indicators of Compromise

  • IPs:
    • 104.27.179.176
    • 104.27.178.176
    • 185.14.29.227
    • 49.51.161.225
    • 47.254.174.129
  • C&C:
    • Downloader C&C: hxxp://brinchil.xyz,
    • Sphinx C&Cs:
      • hxxps://seobrooke[.com]
      • hxxps://securitysystemswap[.com]
      • hxxps://axelerode[.club]

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Related Intelligence Posts
No items found.