Zeus Sphinx (AKA Zloader, Terdot) increased activities in March 2020. Like many other malicious campaigns, the one pushing Zeus is also leveraging the Covid19 pandemic. The malspam contains files named “COVID 19 relief” and similar subject lines. Zeus still targets banks across continents in the US, Canada, and Australia. The maldoc spam taking advantage of the trending COVID-19 theme tells victims that they need to fill out an attached form to receive monetary compensation for having to stay at home to help fight increasing infection rates.
From a variety of Office programs, with the majority being .doc or .docx files, these documents at first request the end user to enable executing a macro, unknowingly triggering the first step of the infection chain. Once the end user accepts and enables these malicious macros, the script will start its deployment, often using legitimate, hijacked Windows processes that will fetch a malware downloader. Next, the downloader will communicate with a remote command-and-control (C&C) server and fetch the new Sphinx variant.The maldoc is password-protected, likely to prevent analysis of the file before the recipient opens it. It writes numerous folders and files to disk and adds some Registry keys in order to hide itself and manage its configuration files over time.
The weaponized document creates a malicious folder under %SYSTEMDRIVE% and writes a batch file into it. After executing the batch file, it writes a VBS file to the same folder. That file is executed and uses a legitimate WScript.exe process, creates a communication channel with its C&C server and downloads a malicious executable in the form of a DLL. The malicious DLL, which is Sphinx’s executable, is also written to the folder under %SYSTEMDRIVE%. The infection process is initiated with the execution of the Sphinx DLL using Regsvr32.exe, which sets off Sphinx’s infection chain.