• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Press Release
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COVID-19 Exploitation in Cyberspace
March 30, 2020
Rewterz Threat Alert – Hackers Start Capitalizing on Zoom’s Success to Spread Malware Amid Covid-19
March 30, 2020

Rewterz Threat Alert – Zeus Sphinx Trojan Distributed via Covid-19 Relief Documents

March 30, 2020

Severity

Medium

Analysis Summary

Zeus Sphinx (AKA Zloader, Terdot) increased activities in March 2020. Like many other malicious campaigns, the one pushing Zeus is also leveraging the Covid19 pandemic. The malspam contains files named “COVID 19 relief” and similar subject lines. Zeus still targets banks across continents in the US, Canada, and Australia. The maldoc spam taking advantage of the trending COVID-19 theme tells victims that they need to fill out an attached form to receive monetary compensation for having to stay at home to help fight increasing infection rates.

From a variety of Office programs, with the majority being .doc or .docx files, these documents at first request the end user to enable executing a macro, unknowingly triggering the first step of the infection chain. Once the end user accepts and enables these malicious macros, the script will start its deployment, often using legitimate, hijacked Windows processes that will fetch a malware downloader. Next, the downloader will communicate with a remote command-and-control (C&C) server and fetch the new Sphinx variant.The maldoc is password-protected, likely to prevent analysis of the file before the recipient opens it. It writes numerous folders and files to disk and adds some Registry keys in order to hide itself and manage its configuration files over time.
The weaponized document creates a malicious folder under %SYSTEMDRIVE% and writes a batch file into it. After executing the batch file, it writes a VBS file to the same folder. That file is executed and uses a legitimate WScript.exe process, creates a communication channel with its C&C server and downloads a malicious executable in the form of a DLL. The malicious DLL, which is Sphinx’s executable, is also written to the folder under %SYSTEMDRIVE%. The infection process is initiated with the execution of the Sphinx DLL using Regsvr32.exe, which sets off Sphinx’s infection chain.

Impact

  • Credential Theft
  • Theft of Banking Information

Indicators of Compromise

MD5

  • e8fcf85c39c4b99b903148cba3e2d913
  • 2fc871107d46fa5aa8095b78d5abab78
  • 70E58943AC83F5D6467E5E173EC66B28
  • 7CA44F6F8030DF33ADA36EB35649BE71
  • 8A96E96113FB9DC47C286263289BD667
  • C6D279AC30D0A60D22C4981037580939

SHA-256

  • dff2e1a0b80c26d413e9d4f96031019ce4567607e0231a80d0ee0eb1fcf429fe
  • f40d11f983151b6f0405db63a3424e5063a7294f42bdbde07f7aed5fd96f4563
  • 511dab2388e7a98cc70a8e6abbfe3c47f170c9fc616941a2c05c08b1fc449ef1
  • 3c115864cb93746b3745a119855b17442ef9415ccc2bf1531fc5a269e4714c66
  • 66fc5d683cf76c3c4b53199fc0796b7a13afba22fca8d97ef4dfd07249e5a9f1
  • c89c43d51eba1eb522cca6ec720f778a59638a09ea07ce10a60dd1929023a8d5

Source IP

  • 185[.]14[.]29[.]227
  • 49[.]51[.]161[.]225
  • 47[.]254[.]174[.]129

URL

  • hxxp[:]//brinchil[.]xyz
  • hxxps[:]//seobrooke[.]com
  • hxxps[:]//securitysystemswap[.]com
  • https[:]//axelerode[.]club/

Remediation

  • Block the threat indicators at their respective controls.
  • Do not download attachments from untrusted emails.
  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.