Zeus Sphinx banking Trojan masquerades as relief payment

Password-protected malicious document (dubbed COVID 19 Relief.doc) distributed via phishing email.
It claims to gather details of individuals, for relief payments offered by the Government.
Once opened, it enables macros features on the target’s computer, infecting with Sphinx banking Trojan.

The malicious code hijacks Windows processes to fetch a malware downloader (kofet.dll).
The downloader then fetches the final payload from C2C. After the system is fully compromised, the malware establishes persistence by modifying Windows registry, and injecting malicious data to %APPDATA% and other folders.

Sphinx targets major banks in the U.S., Canada, and Australia.
The malware uses web injects by patching legitimate browsers, to capture sensitive information such as credit card, debit card details, passwords, personal information, in the event that victims visit banking websites.

DFF2E1A0B80C26D413E9D4F96031019CE4567607E0231A80D0EE0EB1FC