Brazil Can’t Catch a Break: After Panda Comes the Sphinx

Within two weeks of the discovery of Zeus Panda (Panda Banker) activity, IBM X-Force researchers have uncovered the first signs of Zeus Sphinx attacks in Brazil. A new version of Zeus Sphinx, which is, like Panda, also a commercially available Zeus v2 variation, now targets the online banking and Boleto payment services of three of the top Brazilian banks and one bank in Colombia, according to its configuration file.

Sphinx is a modular banking Trojan and considered to be as sophisticated as Panda and Zeus Citadel. The timing of Sphinx’s migration to Brazil — while the country is hosting a global sporting event — hardly appears to be a coincidence. Cybercriminals are known to increase their efforts during sporting events, taking advantage of the rise in online activity and interest around the competition to lure users into opening malware spam and phishing pages.

Sphinx: Mythically Treacherous and Double-Edged

Zeus Sphinx is a banking Trojan and is a commercial offering sold to cybercriminals via underground fraudster boards. The malware emerged in August 2015, at which point it started targeting major banks in the U.K. This malware was known to primarily target European entities until recently.

So, another day, another Zeus? Not quite. Sphinx has been around for about a year now, launched initially in attacks targeting U.K. and Australian banks. X-Force Research analyzed Sphinx’s modus operandi at the time and found that the malware combined elaborate fraud tactics to steal credentials and one-time passwords.

Sphinx’s configuration fetched webinjections in real time from its command-and-control (C&C) server, manipulated users to generate authentication codes with their card readers and even tricked victims into downloading a malware app to their mobile device to steal transaction authentication codes sent from the bank via SMS.

This post was part of my work with IBM X-Force. Read the complete blog here.