Update: Zeus Sphinx Trojan is back

Exploit. Angler. Nuclear. Doesn’t matter what they’re called, they always deliver.  We should be prepared for the fact that these die down then reappear, with renewed code and vigor.  Here’s a current representation of strains. And to that we add Zeus Sphinx.


As banking malware goes, Sphinx  “combined elaborate fraud tactics to steal credentials and one-time passwords”. Sphinx was originally identified in 2015, but the Brazilian variant appeared hot on the heels of Zeus Panda in Aug 2016,  attacking Brazilian banks, specifically the online banking and Boleto payment systems (Boleto fraud is highly lucrative and deserves its own post). That this occurred at the same time as the Olympics is no coincidence.  Activity died down until recently. IBM X-Force has identified new, targeted attacks against online users of banks and especially credit unions in Canada and Australia. In this article written by malware hunter Limor Kessem, these are “low-volume testing, not full-blown infection campaigns. The malware’s operators appear to be looking very carefully to determine which geographies offer the paths of least resistance.” According to X-Force, the attackers are using the same attack servers that facilitated the Zeus Citadel and Ramnit attacks in 2016. As well, the webinjections share similar code patterns with other banking Trojans. Sphinx uses two distribution methods: email loaded with a malicious VBA loader, and malvertising.


Note how Credit Unions are the major target, as they apparently are low-hanging fruit from a security standpoint.  For Australia, the mix is 40 major banks, credit unions and payment providers. NOTE: This also targets some US banks.


Per the X-Force Exchange site:

Zeus Sphinx is used for the theft of online banking authentication elements such as user credentials, cookies and certificates. These elements are subsequently used by fraudsters in illicit online transactions typically performed from the user’s own device. Connection to the endpoint is facilitated via backconnect hidden virtual network computing (VNC), which means the infected endpoint will initiate a remote-access connection to the criminal’s endpoint. This feature allows the attacker to gain user-grade access to the device even through firewall protection.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s