Sphinx, a banking trojan that’s heavily based on Zeus/Terdot, was noticed spreading in COVID-19 themed phishing emails.
Malicious emails
Emails that promise COVID-19 payments are being sent to people in English-speaking countries. The emails claim to carry a form to fill out – a form that’s needed to receive a large sum of money, such as immediate compensation for staying at home during the quarantine. As is usual for malicious spam, Sphinx emails are based on real-world events, such as the news that Canada would offer laid-off workers a $2000 a month relief.
There’s a file in these emails, but it’s not a government form. Rather, it’s a Sphinx downloader. The infected file is a Microsoft Office file that is infected with a malicious macro. To download the banking trojan, all you need to do is:
- open that document,
- enter the password that came with the email,
- click “Enable Editing” from the yellow bar,
- then click “Enable Content”.
This allows the macros inside the document to be executed and download Sphinx.
Information stealer
Once Sphinx is installed, victims might not notice anything wrong. Sphinx has some ability to evade detection and hide from antivirus programs, as well as hijack legitimate processes.
But, under the surface, Sphinx is very dangerous. For example, it provides criminals with tools to connect to infected computers and control them directly. Sphinx can also inject fake pages into victims’ web browsers. Or it can simply steal data saved in the victim’s browser.
Sphinx is mostly used to steal usernames and passwords. These can then be sold and used to try and hack people’s online accounts to rob them. This can range from unauthorized purchases using a saved credit card to a stolen online bank account or cryptocurrency wallet – it’s up to the cybercriminals.
Trojans like Sphinx are bought and used by criminals to infect computers, steal people’s data, and rob them. Some cybercriminals focus on one country or organization, some do highly targeted attacks, and some take advantage of a hot topic – such as the COVID-19 pandemic – to launch a global attack. According to IBM X-Force, Sphinx currently targets the clients of banks in Canada, USA, and Australia.
Dealing with a Sphinx infection
Now that many of us are stuck inside, spending time online, anxious for news and updates, cybercriminals are ramping up their activities. Not by programming better, more dangerous malware, but by convincing us to infect our own PCs.
Many, many cyber threats rely on social engineering – manipulating us into letting malware onto our computers. Sphinx is no different. For example, its emails include due dates and countdowns to force people to hurry and open the infected file. Victims feel like they risk losing $2000 if they delay.
So, what if you did find Sphinx or another banking trojan on your PC?
Remove Sphinx with an antivirus program and then scan your computer to make sure that it’s clean. If you have your credit card saved on any websites as a payment method, you may want to delete that for now. Set new passwords for those accounts, or start using a password manager.
Then, you should keep a very close eye on your bank account. If you’re charged money and you don’t know why, contest that charge immediately. If you’re concerned, call your bank and tell them what happened. Be completely honest so that you can get helpful advice.
The Sphinx distribution campaign is not the only malicious spam campaign that takes advantage of anxiety caused by the pandemic, as this Fireeye.com post shows. This also isn’t the first or only case of malicious email spam that talks about coronavirus to grab people’s attention – there are many scams out there. Malware has even been developed specifically after COVID-19, such as the CoronaVirus ransomware and the malicious tracker app.
