Security Experts:

Corporate Workers Warned of 'COVID-19 Payment' Emails Delivering Banking Trojan

IBM and FireEye have spotted a campaign that relies on fake “COVID-19 Payment” emails to deliver the Zeus Sphinx banking trojan to people in the United States, Canada and Australia.

FireEye, which tracks the malware as SILENTNIGHT, reported seeing the malicious emails in the inboxes of “individuals at corporations across a broad set of industries and geographies.”

The emails have the subject line “COVID-19 payment” and they carry malicious documents named “COVID 19 relief.”

The emails seem to mainly target users in the US, Canada and Australia, and the targets in each of these countries have received slightly different emails. The emails sent to Canadians say the payment was approved by Canada’s prime minister, Justin Trudeau, and they claim the recipient can receive a check for 2,500 Canadian dollars if they fill out a form. In the messages sent to Australians, the amount is 2,500 Australian dollars.

COVID-19 payment email

MalwareHunterTeam researchers said one of the malicious emails was sent to someone at the Vancouver Police Department.

The attached Word document is protected by a password, but the password is included in the body of the email. When users open the document, they are instructed to enable macros, which leads to the Zeus Sphinx banking trojan being downloaded to their device.

Zeus Sphinx, which is also tracked as Zloader and Terdot, first emerged in 2015, when it only targeted the customers of banks in the United Kingdom. It later started targeting banks in North America, Brazil and Australia. The malware’s main goal is to harvest online banking credentials and other personal information by displaying phishing pages when the victim navigates to a bank’s website.

IBM says the trojan has been absent from the threat landscape for nearly three years, but now it appears to have resurfaced and the variant used in current attacks is only slightly different compared to the original.

“While some Sphinx activity we detected trickled in starting December 2019, campaigns have only increased in volume in March 2020, possibly due to a testing period by Sphinx’s operators. It appears that, taking advantage of the current climate, Sphinx’s operators are setting their sights on those waiting for government relief payments,” IBM said.

In addition to this campaign, FireEye has seen phishing emails titled “Internal Guidance for Businesses Grant and loans in response to respond to COVID-19” being sent to the employees of financial services organizations in the US. The files attached to these emails lead to a fake message from the US Small Business Administration, which takes victims to a phishing page designed to harvest Microsoft account credentials.

FireEye believes that the stimulus bill announced recently by the United States and other financial compensation schemes coming in response to the coronavirus outbreak will lead to an increase in these types of attacks in the coming weeks.

The coronavirus pandemic has been exploited by threat actors for a wide range of campaigns, including to deliver malware, phishing and scams, and Proofpoint reported on Friday that 80 percent of the threats it has seen have leveraged the outbreak in some way.

Authorities in the United States and Europe recently issued warnings of increased malicious cyber-activity related to COVID-19.

Related: Coronavirus Confinement Challenges Intelligence Services

Related: Android Surveillance Campaign Leverages COVID-19 Crisis

Related: China-linked APT Hackers Launch Coronavirus-Themed Attacks

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.