IBM and FireEye have spotted a campaign that relies on fake “COVID-19 Payment” emails to deliver the Zeus Sphinx banking trojan to people in the United States, Canada, and Australia. The malware is also known as SILENTNIGHT, Zloader, and Terdot, and has been dormant for nearly three years. It has been detected in the inboxes of “individuals at corporations across a broad set of industries and geographies.” The emails are customized for each of the three targeted countries, either promising a “COVID-19 payment” in local currency, or offering guidance for business grants and loans in response to the pandemic. The payload is deployed by a Word-format document containing a macro.
