The Sphinx Zeus banking Trojan first emerged in August 2015, exactly a year ago, but has been recently updated and detected in new campaigns. This time Sphinx is targeting Brazilian banks and Boleto, Brazilian payment methods. Not surprisingly, the attacks are clearly “inspired” by the Olympic Games in Rio. We already wrote about the potential threats of this global event, and we’re not surprised to see this banking Trojan being so active during this particular time.
More about Sphinx Banking Trojan
The very first thing to mention here is that Sphinx is a member of the notorious and infamous Zeus banking malware. It’s coded in C++ and, expectedly, is based on the source code of Zeus. Previously Sphinx was spotted taking full advantage of the Tor network, as revealed by a TrendMicro research. The Trojan is an expert in avoiding detection and being immune to sinkholing, blacklisting and even to the Zeus tracking tool, developed to track Zeus Command&Control servers (hosts) around the world and provide a domain- and an IP-blocklist.
The initial campaigns of the banking Trojan victimized banks mainly situated in the UK, as revealed by an IBM X-Force report from October 2015:
Zeus Sphinx is crimeware that emerged in underground fraud forums in late August 2015, offered for sale by a Russian-speaking vendor for $500 per binary — without a malware builder. This means that Sphinx’s vendor is not enabling fraudsters to independently generate new malware files. Fraudsters would have to buy a new variant generated by the vendor every time their current one gets detected as malicious by signature-based security solutions.
How Is Sphinx Currently Being Spread?
Similarly to other Zeus bankers, the Trojan is spread via web injects that overlay fake websites. Once this is done, the banker will exfiltrate the collected data via a hidden VNC (virtual network computing) connection.
In the latest Brazilian update, Sphinx has included web inject configurations able to target the web portal of three famous Brazilian banks, as well as the Boleto payment methods.
Moreover, this latest variant of Sphinx supports a multi-step injection that has includes social engineering tactics and enables cyber criminals to trick users and collect their authentication codes from card readers.
Web injects are also employed to lure users into downloading mobile applications that steal transaction authentication codes sent by the bank via SMS.
Rio Olympics 2016 Have Stirred the Underground Brazilian Market
Another infamous banker has also received a notable update – the Panda banking Trojan. In June this year, Panda was sent to LinkedIn users via email, in an aggressive post-breach phishing campaign. An earlier campaign, from March, showed that Panda was actively spread via macros in Word documents and exploit kits.
Overall, banking Trojans are quite popular today, perhaps nearly as popular as ransomware. Financial theft malware is a preferred method employed by cyber crooks all around the world. Users should always be prepared, especially when a globally important event is on the horizon.
Zeus bankers are particularly dangerous, as they take up to 15% of all such attacks, at least at this point.
Banking Trojans have caused great damage to unsuspecting users, generating fraudulent transactions and stealing banking credentials. Attack scenarios can go even worse, if the particular banking Trojan installs additional malware such as ransomware or spyware. Since banking malware continues to be a huge issue in cyber security, being protected against it is a must.
How to Protect Yourself from Banking Trojans like Sphinx and Panda
For obvious security-related concerns, macros are usually disabled by Microsoft by default. However, cyber criminals know that and always find ways to make potential victims enable macros, exactly like in the case of Panda attacks.
In short, to increase one’s security against banking malware, and any malware really, follow these steps:
- Disable macros in Microsoft Office applications. The very first thing to do is check if macros are disabled in Microsoft office. For more information, visit Microsoft Office’s official page. Keep in mind that if you are an enterprise user, the system administrator is the one who is in charge of the macro default settings.
- Don’t open (or reply to) suspicious emails. Simple as that. If you receive an unexpected email from an unknown sender – like an invoice – don’t open it before making sure it is legitimate. Spam is the primary way of distributing macro malware.
- Employ anti-spam measures. Use anti-spam software, spam filters, aimed at examining incoming email. Such software isolates spam from regular emails. Spam filters are designed to identify and detect spam, and prevent it from reaching your inbox. Make sure to add a spam filter to your email. Gmail users can refer to Google’s support page.
- Keep all of your browsers and apps updated. Malware is known to take advantage of software vulnerabilities. Skipping updates is a risky road. If you have many apps installed on your system, you can rely on a program like Secunia Personal Inspector.
And don’t forget to keep your anti-malware program running at all times!
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter