- Password-protected malicious document (dubbed COVID 19 Relief.doc) distributed via phishing email.
- It claims to gather details of individuals, for relief payments offered by the Government.
- Once opened, it enables macros features on the target’s computer, infecting with Sphinx banking Trojan.
- The malicious code hijacks Windows processes to fetch a malware downloader (kofet.dll).
- The downloader then fetches the final payload from C2C. After the system is fully compromised, the malware establishes persistence by modifying Windows registry, and injecting malicious data to %APPDATA% and other folders.