Sphinx: $500 Banking Trojan Emerges in the Underground

September 09, 2015

new banking Trojan called Sphinx has been going around the cybercriminal underground by the end of August. Shortly after it was advertised for sale, forum admins have duly verified the newly-released malware, which was designed to sniff out sensitive banking credentials from infected computers.

Coded in C++, Sphinx is said to be based on the source code of the notorious Zeus banking malware. Notable for taking full advantage of the anonymity of the Tor network, developers peddled Sphinx as an online banking Trojan that had the ability to avoid detection by being immune from sinkholing, blacklisting, and even the ZeuS tracking tool. While creators of the malware claimed that it does not need bulletproof hosting in operating a botnet, it is still recommended.

Online banking is a technological advancement that offers the gift of convenience to users in dealing with banking transactions, providing an easier way to manage finances, transfers, and payments. It doesn't come without its share of risks though, especially with the number of cybercriminal tools and techniques that are designed to turn unsuspecting users of these convenient channels into victims. 

In an earlier post, we published a brief history of several notable banking Trojans seen in the past, noting its continuing evolution from the first banking Trojans to the highly-sophisticated malware that it is today.

Sphinx, with this recent announcement, is seen as the latest in a long line of discovered ZeuS variants. The advertised banking Trojan was initially sold at $500 with features that include form grabbing, web injects for Internet Explorer, Mozilla Firefox and the Tor browser, a keylogger, as well as an FTP and POP3 grabber. It also includes a certificate grabber, which gives it the ability to intercept certificates when they are in use to evade security warnings and bypass anti-malware.

Developers note that Sphinx is designed to operate on computers running on Windows Vista and Windows 7—even on those with the User Account Control (UAC) setting enabled. This means that Sphinx can work even on user accounts with low privileges. According to the devs, “when you install Sphinx, the bot creates its copy in the user’s home directory. This copy is tied to the current user and OS, and cannot be run by another user. The original copy of the same bot  that was used for installation will be automatically deleted, regardless of the installation success.”

Also, its control panel is developed using PHP and is largely patterned after ZeuS using extensions mbstring and mysql. This provides operators extensive reports on the number of infected devices, online bots, new bots, daily bot activity, as well as country and operating system statistics. 

Server communication, on the other hand, uses an internal “white list”, which makes it possible to circumvent firewalls. Through this, the bot can be configured to send gathered reports, account its condition to the server, and receive commands to execute on the infected system. All of this happens via an HTTP-protocol, where all communications are heavily encrypted using a unique key for each botnet.

Its Backconnect VNC capability, as developers say in its posting, is “the most essential feature of a banking Trojan”. This allows money transfers directly from the compromised computer. VNC is done on a different system, making it hidden and undetectable. The developers further stated that “you can steal money from the bank while the victim is playing multiplayer games or watching movies. Forget about configuring the browser, because when carding with Sphinx you don’t need to. With Backconnect VNC you can also remove anti-virus/rapport software from the victim’s computer. Port-forwarding for the victim is not required due to the use of Reverse connection.”

Much like ZeuS, Sphinx is capable of creating phishing pages that can trick users into providing sensitive banking credentials. Webinjects, following the ZeuS format, are used to redress contents of a website that allows an attacker to steal credit-card data and other information. Webfakes, on the other hand, are used to carry out phishing attacks without tricking the victim into going to a malicious URL.

All of the mentioned capabilities have piqued the interest of users in the underground forum. In fact, thanks to the buzz surrounding it, security researcher Joseph Cox noted that the price has even doubled to $1000 USD.

Following the hype after its initial posting and the demand from interested parties that went with it, Sphinx was then flagged as a scam with testimonials from users who have availed of the kit. Users who have purchased the banking Trojan and paid via digital currencies Bitcoin and DASH are claiming that after the payment transactions are done, no files are received. Motherboard noted a user comment saying, “Also paid for this 1 week ago and yet to receive any files, I have proofs but hoping Sphinx sorts it out.”  As of this writing, no verification regarding the scam status of the banking Trojan has been provided. This article will be updated once new information and development on the story arises.

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.