Zeus Sphinx banking Trojan masquerades as relief payment

Password-protected malicious document (dubbed COVID 19 Relief.doc) distributed via phishing email.
It claims to gather details of individuals, for relief payments offered by the Government.
Once opened, it enables macros features on the target’s computer, infecting with Sphinx banking Trojan.

The malicious code hijacks Windows processes to fetch a malware downloader (kofet.dll).
The downloader then fetches the final payload from C2C. After the system is fully compromised, the malware establishes persistence by modifying Windows registry, and injecting malicious data to %APPDATA% and other folders.

The Risk

Sphinx targets major banks in the U.S., Canada, and Australia.
The malware uses web injects by patching legitimate browsers, to capture sensitive information such as credit card, debit card details, passwords, personal information, in the event that victims visit banking websites.

File details

Maldoc:

DFF2E1A0B80C26D413E9D4F96031019CE4567607E0231A80D0EE0EB1FC

Sphinx samples:

C8DFF758FEB96878F578ADF66B654CD7
70E58943AC83F5D6467E5E173EC66B2
7CA44F6F8030DF33ADA36EB35649BE71
8A96E96113FB9DC47C286263289BD667
C6D279AC30D0A60D22C4981037580939

VBS sample:

2FC871107D46FA5AA8095B78D5ABAB78

Indicators of Compromise

IPs:
- 104.27.179.176
- 104.27.178.176
- 185.14.29.227
- 49.51.161.225
- 47.254.174.129
C&C:
- Downloader C&C: hxxp://brinchil.xyz,
- Sphinx C&Cs:
  - hxxps://seobrooke[.com]
  - hxxps://securitysystemswap[.com]
  - hxxps://axelerode[.club]

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.

Trusted by 400+ Top organisations

The Carrier

The Malware