New Zeus Sphinx banking trojan hitting Brazil

Bad actors are exploiting the Olympic games in Rio to issue malware spam and phishing pages leading to a banking trojan variant.
Bad actors are exploiting the Olympic games in Rio to issue malware spam and phishing pages leading to a banking trojan variant.

A new version of Zeus Sphinx, a sophisticated malware campaign that has been targeting banks in Brazil and Colombia, has been detected by IBM X-Force.

According to a blog post on Tuesday, IBM said that judging from its configuration file, the Zeus variant has been attacking online banking and Boleto payment services of three of the top Brazilian banks, as well as one bank in Colombia.

"Zeus Sphinx is similar to other sophisticated trojans we have seen targeting Brazil this summer," Limor Kessem, executive security advisor, IBM Security, and an author of the report, said in an email to SCMagazine.com. "The fraudsters operating it are likely local and working with other cyber-criminals across the globe to execute the campaigns, timed for the Olympic games." 

It is the second malware campaign targeting Brazil that the IBM X-Force team has detected within the last two weeks, likely using the spike in online activity owing to the Olympics to dupe users into clicking on malware spam and phishing pages, the report said.

The malware, which first appeared last August primarily targeting banks in Europe and Australia, is being sold to fraudsters on underground forums. Analysis of the malware by IBM found that it joined elaborate fraud tactics to steal credentials and one-time passwords.

"Sphinx attacks combine elaborate fraud tactics, such as social engineering injections to steal credentials and personal information, and on-the-fly man-in-the-middle injections to modify payments initiated by the victims," Kessem wrote to SC.  "Although Sphinx is not new malware, the Zeus Sphinx v2 is new, and has been customised to target local banks in Brazil and Colombia." 

The typical fraud is initiated by real-time man-in-the-middle web-injections, so when an infected user initiates a Boletos transaction, the malware sets off a set of JavaScript injections. This enables the bad actors to capture the victim's personal data, which is sent to a command-and-control server. "On the server side, the C&C reaches out to a legitimate open source API library that creates Boleto barcodes from transaction details defined by the user." This occurs without involving the bank's server. The barcode generated by the fraudsters contains the routing data to a mule account number and a modified transfer amount, the IBM report stated. 

As the barcode cannot be interpreted by anyone seeing it, victims are unaware that they are receiving a phony barcode that appears to come from their bank. When they send out the poisoned Boleto request, the transaction is rerouted to the fraudsters.

"Boletos have been a lucrative target for Brazilian malware authors and local cyber-crime gangs for the past few years," Kessem told SC. "They continue to suffer attack campaigns by standalone Boleto malware, and now modular banking trojans as well." 

The IBM researchers speculate that the use of another commercial Zeus variant may portend a migration from the use of simpler Delphi-based malcode and signal collaboration with cyber-crime vendors outside of Brazill, adding that they expect to see more iterations of this malware in the near future as well as a broader target base.

To prevent malware infections on endpoints, users should always keep their operating system up to date, update frequently used programs and delete those they no longer use, IBM advised.