SentinelOne vs Zeus Sphinx banking trojan (COVID-19 SPAM)

Late in March, we observed the Sphinx banking trojan, which is largely based on leaked source code for Zeus, began to aggressively spread via email with COVID-themed messages. In some cases, victims were enticed to complete a form related to receiving government assistance during the outbreak. The malicious document then proceeds to drop and execute a VBS script. This script establishes C2 communication channels and downloads additional executable payloads. Beyond the COVID-themed lures, the functionally is largely unchanged with regards to data inception via web injects. #Zeus Sphinx attempts to establish persistence via the registry (HKLMSoftwareMicrosoftWindowsCurrentVersionRun). The malware has also been known to self-sign its binaries, in an attempt to further evade traditional endpoint security controls. Watch how SentinelOne blocks this threat.