The recent months have created a new reality in the world as the novel coronavirus pandemic spread from country to country raising concerns among people everywhere. With spammers and malware distributors already being accustomed to riding trending news, the COVID-19 theme has been exploited thoroughly by a large variety of spam and malspam campaigns. It appears that this was a good time for Zeus Sphinx (AKA Zloader, Terdot) to join the crowds and resurface after nearly three years of absence.

While some Sphinx activity we detected trickled in starting December 2019, campaigns have only increased in volume in March 2020, possibly due to a testing period by Sphinx’s operators. It appears that, taking advantage of the current climate, Sphinx’s operators are setting their sights on those waiting for government relief payments. Current malspam campaigns feature booby-trapped document files named “COVID 19 relief” and subject lines relying on the same theme. Sphinx’s targets have not changed from its past configuration files as it continues to focus on banks in the US, Canada, and Australia.

While the renewed Zeus Sphinx activity that IBM X-Force is seeing features a somewhat modified variant of this malware, Zeus Sphinx is not new malware and this variant is only slightly different than the original. We will therefore go into some basic modifications that were made in the variant we observed, mostly affecting its delivery and deployment on newly infected devices, as well as its focus on the current pandemic.

COVID-19-Themed Maldoc Spam Delivery

Almost all malware campaigns nowadays use malicious document files (maldocs) to reach potential victims’ mailboxes. The Sphinx campaigns we have observed are also being distributed via maldoc spam that takes advantage of the trending COVID-19 theme. Over the past three months, spammers everywhere are using the pandemic to spread phishing, scams and malware. In Sphinx’s case, the email tells victims that they need to fill out an attached form to receive monetary compensation for having to stay at home to help fight increasing infection rates.

Figure 1: Malspam delivering a Zeus Sphinx infection (Source: IBM X-Force)

From a variety of Office programs, with the majority being .doc or .docx files, these documents at first request the end user to enable executing a macro, unknowingly triggering the first step of the infection chain. Once the end user accepts and enables these malicious macros, the script will start its deployment, often using legitimate, hijacked Windows processes that will fetch a malware downloader. Next, the downloader will communicate with a remote command-and-control (C&C) server and fetch the relevant malware — in this case, the new Sphinx variant.

The maldoc is password-protected, likely to prevent analysis of the file before the recipient opens it.

Figure 2: Maldoc file requires a password to open (Source: IBM X-Force)

In the next step, the recipient is asked to enable macros.

Figure 3: Booby-trapped maldoc file asks user to enable macros (Source: IBM X-Force)

Once on the device, Sphinx establishes persistence via commonly used methods to maintain its grasp on the end user’s machine. In this case, it writes numerous folders and files to disk and adds some Registry keys in order to hide itself and manage its configuration files over time.

Deployment Method

The infection process of the new Zeus Sphinx variant starts off with the weaponized document that creates a malicious folder under %SYSTEMDRIVE% and writes a batch file into it.

After executing the batch file, it writes a VBS file to the same folder. That file is executed and uses a legitimate WScript.exe process, creates a communication channel with its C&C server and downloads a malicious executable in the form of a DLL.

Figure 4: Sphinx scripts and junk text inserted into the file (Source: IBM X-Force)

The command line is similar in several cases. As written in the VBS content file, this is an example of the command:

“nologo C:\Logs\Jobs.vbs C:\Logs\kofet.dll

The malicious DLL, which is Sphinx’s executable, is also written to the folder under %SYSTEMDRIVE%. The infection process is initiated with the execution of the Sphinx DLL using Regsvr32.exe, which sets off Sphinx’s infection chain.

At first, the malware creates a hollow process, msiexec.exe, and injects its code into it. This same step was used by older versions of Sphinx for deployment. It creates the first folder under %APPDATA% and creates an executable file in it. Later on, it will change the extension to .DLL for persistence purposes.

In addition, the malware adds over 10 other malicious folders containing various data files under %APPDATA%.

Figure 5: Sphinx folders written into the APPDATA section (Source: IBM X-Force)

Next, the malware creates a run key in the Registry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ with the path to the DLL set under %APPDATA% as a persistence method using Rundll32.exe and DllRegisterServer as an argument. This will execute the DLL using the Regsrv32.exe process.

For example:

  • Key — HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Uffuehh
  • Value — rundll32.exe C:\Users\michel\AppData\Roaming\Fecaa\dagicoy.dll,DllRegisterServer

Figure 6: Zeus Sphinx’s run key (Source: IBM X-Force)

The malware also creates two Registry hives under HKCU\Software\Microsoft\, each one containing one key that holds a part of its configuration.

Please note that all file and resource names are dynamically generated for each infected machine and not hardcoded; therefore, what’s shown in this blog are examples that will differ on each deployment.

Self-Signed Certificate

Sphinx signs the malicious code using a digital certificate that validates it, making it easier for it to stay under the radar of common antivirus (AV) tools when injected to the browser processes. In the following example, that file is named “Byfehi.”

Figure 7: Sphinx’s self-signing certificate (Source: IBM X-Force)

Zeus Web Injections Live On

Some of Zeus Sphinx’s origins, inherited from its Zeus v2 codebase, remain intact. There are several Zeus variants that operate in a similar way, writing resources to the %APPDATA% folder and writing Registry key to HKCU\Software\Microsoft.

To carry out web injections, the malware patches explorer.exe and browser processes iexplorer.exe/chrome.exe/firefox.exe but doesn’t have the actual capability of repatching itself again if that patch is fixed, which makes the issue less persistent and unlikely to survive version upgrades.

Sphinx further creates a mutex on the injected process in the form of GUID – [0-9A-F]{12}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{8}.

Malware Configuration

The Sphinx variant we looked at creates two Registry hives under HKCU\Software\Microsoft\, each containing one key that holds a part of its configuration.

In the example below, we can see this as HKCU\Software\Microsoft\Ehobb and HKCU\Software\Microsoft\olyq.

Figure 8: Sphinx’s configuration file (Source: IBM X-Force)

Current Targets

Once loaded and extracted from Sphinx’s process memory, it is visible that Sphinx is back to targeting major banks in the U.S. and Canada. We are also seeing rising infection rates in Australia targeting top banks in the region.

Fetch From Tables — A Commercial Web Inject Panel

The currently active Zeus Sphinx variant communicates with its C&C server using a web-based control panel for web injects. This platform is known as “Tables.”

Figure 9: “Tables” web interface — user login page (Source: IBM X-Force)

The Tables web injects system has been operational since 2014, fitted for, and mostly used by, Zeus-type Trojans that target entities in North America and Europe.

This panel provides all the necessary resources for the malware to infect and collect relevant information from infected victims’ machines. Once a connection to the Tables panel has been established, Sphinx will fetch additional JavaScript files for its web injects to fit with the targeted bank the user is browsing. Injections are all set up on the same domain with specific JS scripts for each bank/target.

About Zeus Sphinx

Zeus Sphinx initially emerged as a commercial banking Trojan that started selling and spreading for the first time back in August 2015, targeting major financial entities in the U.K. Expanding its reach over time to attack banks in Australia, Brazil and North America, attackers deploying Sphinx attacks remained focused on the banking sector in those countries, adapting their attacks to the local financial systems.

As a modular banking Trojan that’s based on the dated Zeus v2 code, Sphinx’s core capability is to collect online account credentials from banks and a wide range of other websites. It calls on its C&C server to fetch relevant web injections when infected users land on a targeted page and uses them to modify the pages users are browsing to include social engineering content and trick them into divulging personal information and authentication codes.

Want to keep up to date about Sphinx and emerging threat intelligence? Join us on IBM X-Force Exchange and read our research blogs on Security Intelligence.

Indicators of Compromise (IoCs)




VBS sample: 2FC871107D46FA5AA8095B78D5ABAB78

Sphinx samples:







C&C Servers

Downloader C&C: hxxp://

Sphinx C&Cs:




More from Malware

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…