Zeus Sphinx: What it is, how it works and how to prevent it | Malware spotlight

Introduction

When something is described as “rising from the ashes,” the mythological creature known as the phoenix normally comes to mind. For those that research malware, they may soon want to swap “phoenix” for “Zeus Sphinx.” 

This malware used to be a persistent threat for banks and financial institutions in 2015 and seemingly died out. As of December 2019 (and especially after the COVID-19 pandemic), Zeus Sphinx has seen a marked resurgence and been observed taking advantage of the pandemic to spread its maliciousness. 

This article will detail the Zeus Sphinx malware with regard to its recent resurgence. We’ll explore what it is, how it works and how you can prevent becoming a victim yourself.

What is Zeus Sphinx?

Zeus Sphinx (also known as Zloader or Terdot) is not an amalgamation of two mythological creatures or the latest trendy crossover vehicle. Instead, it is a malware dating back to 2015. But just like a virus that won’t quit, Zeus Sphinx reappeared in December of 2019. This comeback was furthered by the COVID-19 crisis, where Zeus Sphinx used COVID-19 as a cover to induce users to download the malware.

When Zeus Sphinx first appeared, the malware was a banking Trojan that first targeted banks in the United States, later extending its reach to Canada and Brazil. After a brief hiatus, this malware slowly began reappearing in December 2019 with researchers concluding that the operators were testing the malware for future full-scale deployments. Beginning in March or April of 2020, Zeus Sphinx attacks increased significantly, with a few modifications and a tactic of exploiting the COVID-19 pandemic to target banks in North America.

The modifications observed in new versions of Zeus Sphinx are nothing to shake a sphinx’s tail at. IBM researchers have discovered that the malware has become more (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Greg Belding. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/uz3pxCFBj14/