Zeus Banking Trojan Returns To Snatch Passwords And Credentials

A banking trojan based on the source code of the infamous Zeus malware has been discovered by cyber security specialists Dr Web.

Dubbed Trojan.PWS.Sphinx.2, the trojan’s main purpose it to inject malicious content into webpages, for example a fake form for inputting login and password details in order for cyber criminals to secretly harvest useful credentials for people browsing the web.

The main targets of the Trojan.PWS.Sphinx.2 appear to be websites providing banking services and credit services, where there is value in the data that can be snatched by cyber crooks.

Zeus 2.0

“Once launched, Trojan.PWS.Sphinx.2 injects itself into the Explorer (explorer.exe) running process and decrypts the loader body and the configuration file in which the C&C server’s address and encryption key are hidden,” said DR Web’s threat post.

“Trojan.PWS.Sphinx.2 has a modular architecture: it requests additional plug-ins from the cybercriminals’ server. Two of these modules are designed to perform web injects on 32- and 64-bit versions of Windows, and the other two are for running a VNC server the cybercriminals can use to connect to an infected computer.

“In addition, Trojan.PWS.Sphinx.2 downloads and saves on the infected computer a set of utilities for installing a root digital certificate that can be used by cybercriminals to carry out MITM (man-in-the-middle) attacks. Moreover, the Trojan has a grabber—a module that intercepts data entered by the user into various forms and then sends it to the cybercriminals.”

Through the use of PHP script and a PHP interpreter the Trojan.PWS.Sphinx.2 can automatically launch itself on an infected computer and put script into the system’s autorun folder. Information for the trojan’s operation is encrypted and stored in the Windows system registry while the module it uses are saved to a separate file with a random extension, also encrypted, which could prove challenging to natively detecting the malicious code.

There seems ot be a disturbing amount of malware making a come back of late, including the Moke malware which managed to make the jump from Windows and Linux machines to Mac OS X, and the rise of Xagent which also worked to target Apple’s Macs.

How much do you know about hackers? Take our quiz!

Roland Moore-Colyer @@RolandM_C

As News Editor of Silicon UK, Roland keeps a keen eye on the daily tech news coverage for the site, while also focusing on stories around cyber security, public sector IT, innovation, AI, and gadgets.

Recent Posts

So, you want to be a CIO?

The role of the CIO is evolving with more of a focus on revenue and strategy, according to the 2019…

1 day ago

Twitter Demands AI Firm Cease Facial Image Collection

Privacy concern. Cease-and-desist letter from Twitter to AI firm Clearview demands it stop collecting photos from social media platforms

1 day ago

Sonos Boss Apologises For Update Controversy

Sonos CEO says sorry for anger caused by its update policy, and says it will support legacy products “for as…

1 day ago

Apple Cautions EU About Common Charger Push

Apple has cautioned against the renewed EU push for a common mobile charger, warning that losing its Lightning port will…

2 days ago

US Tells UK It Still Has ‘Significant Concerns’ Over Huawei

With a UK decision on Huawei expected by the end of the month, US officials maintain 'significant concerns' about the…

2 days ago

Apple Fixed Tracking Flaws In Safari, But Google Director Disagrees

Google identified multiple privacy flaws in Apple's Safari browser, which the iPad maker said it has fixed, but a Google…

2 days ago