Zeus Sphinx Pushes Empty Configuration Files — What Has the Sphinx Got Cooking?
Lately,
IBM X-Force Research has seen the Zeus Sphinx Trojan go through a targetless
phase, an exceedingly rare occurrence in the cybercrime arena.
Recent
Zeus Sphinx samples have fetched configuration files in which all the target
URLs were removed. This means that while Sphinx infection campaigns continue
and the malware can infect new machines, it remains idle and lacks attack
instructions to target specific banks and banking services.
The only
instruction that repeats in all Sphinx configuration is to inject a victim’s
“bot ID” into every page he or she visits. In essence, this is a web injection
attack: Inject into http*://*, covering any HTTP and HTTPS webpage the victim
browses to.
What’s Cooking?
This
phase of empty Sphinx configuration files started in March 2017 and increased
over the past few months to include all Sphinx samples. This suggests that
Sphinx is presently operated by one group, not multiple actors, despite the
fact that it was commercially sold in the underground when it was launched in
2015. What are Sphinx’s operators cooking up?
In 2017,
the malware was targeting banks in a number of countries, mostly focusing on
Australia, the U.S. and Canada. Throughout that time, and to date, Sphinx’s
operators have launched different infection campaigns to spread the malware to
more users.
According
to X-Force research, one of the most interesting phases came in late January
2017, when Sphinx was being delivered by a well-known spam source called
Moskalvzapoe. This network was one of the more prominent distributors of the
Neverquest Trojan, serving spam for cybercriminal customers.
A
notable change came in the week of Jan. 19 to Jan. 24, 2017, when Neverquest
delivery via Moskalvzapoe suddenly halted. After that week, Moskalvzapoe got
right back into serving banking Trojans, only this time it was spreading Zeus
Sphinx, dropping it via Moskalvzapoe’s DELoader, also known as Terdot.
Neverquest
has since completely died down, dropping from the second most prevalent
financial malware families into oblivion. Zeus Sphinx, on the other hand, has
been climbing up the chart ever since, placing fifth in June, right under seasoned
organized cybercrime gangs such as Gozi, Ramnit and Dridex, per X-Force data.
See the
stats and read the rest of this post here.
Comments
Post a Comment