Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Corporate Workers Warned of ‘COVID-19 Payment’ Emails Delivering Banking Trojan

IBM and FireEye have spotted a campaign that relies on fake “COVID-19 Payment” emails to deliver the Zeus Sphinx banking trojan to people in the United States, Canada and Australia.

IBM and FireEye have spotted a campaign that relies on fake “COVID-19 Payment” emails to deliver the Zeus Sphinx banking trojan to people in the United States, Canada and Australia.

FireEye, which tracks the malware as SILENTNIGHT, reported seeing the malicious emails in the inboxes of “individuals at corporations across a broad set of industries and geographies.”

The emails have the subject line “COVID-19 payment” and they carry malicious documents named “COVID 19 relief.”

The emails seem to mainly target users in the US, Canada and Australia, and the targets in each of these countries have received slightly different emails. The emails sent to Canadians say the payment was approved by Canada’s prime minister, Justin Trudeau, and they claim the recipient can receive a check for 2,500 Canadian dollars if they fill out a form. In the messages sent to Australians, the amount is 2,500 Australian dollars.

COVID-19 payment email

MalwareHunterTeam researchers said one of the malicious emails was sent to someone at the Vancouver Police Department.

The attached Word document is protected by a password, but the password is included in the body of the email. When users open the document, they are instructed to enable macros, which leads to the Zeus Sphinx banking trojan being downloaded to their device.

Zeus Sphinx, which is also tracked as Zloader and Terdot, first emerged in 2015, when it only targeted the customers of banks in the United Kingdom. It later started targeting banks in North America, Brazil and Australia. The malware’s main goal is to harvest online banking credentials and other personal information by displaying phishing pages when the victim navigates to a bank’s website.

IBM says the trojan has been absent from the threat landscape for nearly three years, but now it appears to have resurfaced and the variant used in current attacks is only slightly different compared to the original.

Advertisement. Scroll to continue reading.

“While some Sphinx activity we detected trickled in starting December 2019, campaigns have only increased in volume in March 2020, possibly due to a testing period by Sphinx’s operators. It appears that, taking advantage of the current climate, Sphinx’s operators are setting their sights on those waiting for government relief payments,” IBM said.

In addition to this campaign, FireEye has seen phishing emails titled “Internal Guidance for Businesses Grant and loans in response to respond to COVID-19” being sent to the employees of financial services organizations in the US. The files attached to these emails lead to a fake message from the US Small Business Administration, which takes victims to a phishing page designed to harvest Microsoft account credentials.

FireEye believes that the stimulus bill announced recently by the United States and other financial compensation schemes coming in response to the coronavirus outbreak will lead to an increase in these types of attacks in the coming weeks.

The coronavirus pandemic has been exploited by threat actors for a wide range of campaigns, including to deliver malware, phishing and scams, and Proofpoint reported on Friday that 80 percent of the threats it has seen have leveraged the outbreak in some way.

Authorities in the United States and Europe recently issued warnings of increased malicious cyber-activity related to COVID-19.

Related: Coronavirus Confinement Challenges Intelligence Services

Related: Android Surveillance Campaign Leverages COVID-19 Crisis

Related: China-linked APT Hackers Launch Coronavirus-Themed Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.