IBM X-Force researchers recently identified new infection campaigns delivering distinct Zeus Sphinx Trojan variants to online banking users in Canada and Australia. This is the first time our researchers have observed Sphinx campaigns with dedicated configurations targeting financial institutions in either of the two countries. We believe they are part of ongoing testing by Sphinx operators.

Sphinx has been keeping low levels of activity since August 2016, when it was detected in attacks on Brazilian banks. The malware authors have been making small, incremental upgrades to the code.

The recent configurations targeting online banking consumers in Canada and Australia are used sparingly in what looks like low-volume testing, not full-blown infection campaigns. The malware’s operators appear to be looking very carefully to determine which geographies offer the paths of least resistance.

Zeus Sphinx Targets Banks in Canada and Australia

In Canada, Sphinx’s operators included URLs for over 33 financial institutes. They focused their target list on credit unions, likely seeing them as the lower hanging fruit in the Canadian financial sector. The malware’s targets are consumer accounts.

Figure 1: Sphinx’s Canadian target distribution per entity type (Source: IBM X-Force)

The Canada-focused Sphinx operators are most likely familiar with the cybercrime arena. According to our research team, they used the same attack servers that facilitated the Zeus Citadel and Ramnit attacks in early 2016 and the fourth quarter of 2016, respectively. The webinjections share familiar code patterns with other banking Trojans, indicating that the attackers likely bought them from an injection-writing service.

Familiar Tricks

In their recent campaigns, Sphinx’s operators have been using two distribution methods to spread the malware to new victims: email messages containing malicious Word documents that launch a visual basic for applications (VBA) loader and malvertising schemes designed to spread the Sundown exploit kit (EK).

The use of the Sundown EK provides further evidence that Sphinx’s operators may be linked to other commercial malware operators. Sundown has been evolving since the fourth quarter of 2016, from a relatively small, second-tier kit into one of the most prominent EKs in circulation. It includes older exploits for Internet Explorer, Flash and Silverlight. It has been previously connected with other banking Trojans such as Kronos and with previous malware campaigns in Canada.

In Australia, the configuration targets a mix of 40 major banks, credit unions and payment providers. That configuration also targets some banks based in the U.S.

Figure 2: Sphinx’s Australia-focused target distribution per geo (Source: IBM X-Force)

IBM X-Force research reported past Sphinx campaigns launched against Brazilian banks in 2015 and U.K. banks in 2016.

Financial Malware: A Global Perspective

From a global perspective, Sphinx is counted as part of the overall Zeus family of Trojans, since it is almost entirely based on the leaked Zeus v2.0.8.9 source code.

With multiple Zeus variations such as Panda, Sphinx and Floki Bot active in the wild, Zeus’s codebase maintains the top position as the most active banking Trojan family. Different variants are operated by numerous cybercrime factions worldwide.

Figure 3: Most prevalent financial malware families 2017 YTD (Source: IBM X-Force)

Relevant IoCs

IBM X-Force shares Zeus Sphinx indicators of compromise (IoCs) on IBM X-Force Exchange. Just type “Zeus Sphinx” into the search bar to find all related collections on this malware.

Your team can anonymously add to Zeus Sphinx collections by sharing additional IoCs on X-Force Exchange. This ultimately helps information security professionals fight cybercrime threats in closer to real time, cutting malware’s lifelines.

To share and follow Zeus Sphinx IoCs, check out the dedicated collection on X-Force Exchange.

Dropper MD5

  • 33DAE99769B84EFCE58C6EBD0B5C8626

Sample MD5

Sample MD5 hashes are:

  • C5ADC8EC369941CDF3DFC6B4E8BC799C
  • 7B83DFCC671C5210F5A8A1D6552BADE4
  • 57B083B80CE77D6F1AE37F59BD28B4B2

Mitigating Zeus Sphinx Attacks

Banks wishing to protect their customers from evolving threats and cybercrime modus operandi are invited to learn more about IBM Trusteer Advanced Fraud Protection.

Individuals can reference our tips page for ways to protect themselves from malware such as Zeus Sphinx and other banking Trojans.

Read the white paper: How to outsmart Fraudsters with Cognitive Fraud Detection

More from Malware

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

ITG10 likely targeting South Korean entities of interest to the Democratic People’s Republic of Korea (DPRK)

7 min read - In late April 2023, IBM Security X-Force uncovered documents that are most likely part of a phishing campaign mimicking credible senders, orchestrated by a group X-Force refers to as ITG10, and aimed at delivering RokRAT malware, similar to what has been observed by others. ITG10's tactics, techniques and procedures (TTPs) overlap with APT37 and ScarCruft. The initial delivery method is conducted via a LNK file, which drops two Windows shortcut files containing obfuscated PowerShell scripts in charge of downloading a…

Ransomware renaissance 2023: The definitive guide to stay safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

BlackCat (ALPHV) ransomware levels up for stealth, speed and exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…