A new version of Zeus Sphinx, a sophisticated malware campaign that has been targeting banks in Brazil and Colombia, has been detected by IBM X-Force.
According to a blog post on Tuesday, IBM said that judging from its configuration file, the Zeus variant has been attacking online banking and Boleto payment services of three of the top Brazilian banks, as well as one bank in Colombia.
"Zeus Sphinx is similar to other sophisticated trojans we have seen targeting Brazil this summer," Limor Kessem, executive security advisor, IBM Security, and an author of the report, said in an email to SCMagazine.com. "The fraudsters operating it are likely local and working with other cybercriminals across the globe to execute the campaigns, timed for the Olympic games."
It is the second malware campaign targeting Brazil that the IBM X-Force team has detected within the last two weeks, likely using the spike in online activity owing to the Olympics to dupe users into clicking on malware spam and phishing pages, the report said.
The malware, which first appeared last August primarily targeting banks in Europe and Australia, is being sold to fraudsters on underground forums. Analysis of the malware by IBM found that it joined elaborate fraud tactics to steal credentials and one-time passwords.
"Sphinx attacks combine elaborate fraud tactics, such as social engineering injections to steal credentials and personal information, and on-the-fly man-in-the-middle injections to modify payments initiated by the victims," Kessem wrote to SC. "Although Sphinx is not new malware, the Zeus Sphinx v2 is new, and has been customized to target local banks in Brazil and Colombia."
As the barcode cannot be interpreted by anyone seeing it, victims are unaware that they are receiving a phony barcode that appears to come from their bank. When they send out the poisoned Boleto request, the transaction is rerouted to the fraudsters.
"Boletos have been a lucrative target for Brazilian malware authors and local cybercrime gangs for the past few years," Kessem told SC. "They continue to suffer attack campaigns by standalone Boleto malware, and now modular banking trojans as well."
The IBM researchers speculate that the use of another commercial Zeus variant may portend a migration from the use of simpler Delphi-based malcode and signal collaboration with cybercrime vendors outside of Brazill, adding that they expect to see more iterations of this malware in the near future as well as a broader target base.To prevent malware infections on endpoints, users should always keep their operating system up to date, update frequently used programs and delete those they no longer use, IBM advised.