Zeus Banking Trojan Returns To Snatch Passwords And Credentials

A banking trojan based on the source code of the infamous Zeus malware has been discovered by cyber security specialists Dr Web.

Dubbed Trojan.PWS.Sphinx.2, the trojan’s main purpose it to inject malicious content into webpages, for example a fake form for inputting login and password details in order for cyber criminals to secretly harvest useful credentials for people browsing the web.

The main targets of the Trojan.PWS.Sphinx.2 appear to be websites providing banking services and credit services, where there is value in the data that can be snatched by cyber crooks.

Zeus 2.0

“Once launched, Trojan.PWS.Sphinx.2 injects itself into the Explorer (explorer.exe) running process and decrypts the loader body and the configuration file in which the C&C server’s address and encryption key are hidden,” said DR Web’s threat post.

“Trojan.PWS.Sphinx.2 has a modular architecture: it requests additional plug-ins from the cybercriminals’ server. Two of these modules are designed to perform web injects on 32- and 64-bit versions of Windows, and the other two are for running a VNC server the cybercriminals can use to connect to an infected computer.

“In addition, Trojan.PWS.Sphinx.2 downloads and saves on the infected computer a set of utilities for installing a root digital certificate that can be used by cybercriminals to carry out MITM (man-in-the-middle) attacks. Moreover, the Trojan has a grabber—a module that intercepts data entered by the user into various forms and then sends it to the cybercriminals.”

Through the use of PHP script and a PHP interpreter the Trojan.PWS.Sphinx.2 can automatically launch itself on an infected computer and put script into the system’s autorun folder. Information for the trojan’s operation is encrypted and stored in the Windows system registry while the module it uses are saved to a separate file with a random extension, also encrypted, which could prove challenging to natively detecting the malicious code.

There seems ot be a disturbing amount of malware making a come back of late, including the Moke malware which managed to make the jump from Windows and Linux machines to Mac OS X, and the rise of Xagent which also worked to target Apple’s Macs.

How much do you know about hackers? Take our quiz!

Roland Moore-Colyer

As News Editor of Silicon UK, Roland keeps a keen eye on the daily tech news coverage for the site, while also focusing on stories around cyber security, public sector IT, innovation, AI, and gadgets.

Recent Posts

NHS Covid-19 Tracing App For England, Wales, Nears Launch

Date for limited rollout of delayed NHS track and trace app for England and Wales…

3 days ago

Coronavirus: Facebook Staff To Work From Home Until July 2021

Facebook follows Google lead by extending right of staffers to work from home until July…

3 days ago

Canon Suffers Ransomware Attack, With 10TB Of Data Stolen – Report

Report suggests Canon has been crippled with a ransomware attack with allegedly 10TB of data,…

4 days ago

Uber Expands UK Reach With Autocab Buy

Amid consolidation in the taxi sector caused by Coronavirus lockdown, Uber purchases British rival Autocab…

4 days ago

TikTok Selects Ireland For First European Data Centre

Ireland to get another data centre after the Chinese-owned short video app TikTok announces first…

4 days ago