The Phorpiex malware botnet has lurked around the internet for years and is used to deliver ransomware, spam email and more, but now Microsoft’s security team are taking a closer look at it.
The botnet has been known for using old-fashioned worms that spread via removable USB drives and instant messaging apps, began diversifying its infrastructure in recent years to become more resilient and to deliver more dangerous payloads, Microsoft said. The botnet’s geographic targeting for bot distribution and installation expanded, too, it said: more recent activity shows a shift to a more global distribution.
Phorpiex itself came under attack in early 2020 after someone apparently hijacked its backend and started uninstalling the spamming functionality from infected hosts. The hijacker even developed a popup warning users to install antivirus and update their computers.
Security firm Check Point noted in November 2020 that Phorpiex had been distributing the Avaddon ransomware, a then-new ransomware service rented out for other cybercrime groups to infect targets.
“Phorpiex is one of the oldest and most persistent botnets, and has been used by its creators for many years to distribute other malware payloads such as GandCrab and Avaddon ransomware, or for sextortion scams,” Check Point malware analysts noted.
One reason Microsoft is taking an interest in it is that the Phorpiex bot disables Microsoft Defender antivirus to maintain persistence on target machines.
“This includes modifying registry keys to disable firewall and antivirus popups or functionality, overriding proxy and browser settings, setting the loader and executables to run at startup, and adding these executables to the authorized application lists,” Microsoft notes in a blogpost.
Enterprise customers can prevent these attempts by enabling tamper protection in Microsoft Defender for Endpoint, Microsoft’s cloud-based advanced security feature, which will automatically revert changes made by the bot.
According to Check Point, in January Phorpiex was the second largest botnet to Emotet botnet, which law enforcement decommissioned in January and defanged in April.
Microsoft notes that from December 2020 to February 2021, the Phorpiex bot loader was encountered in 160 countries. The highest level of encounters were in Mexico (8.5%), Kazakhstan (7.8%), and Uzbekistan (7.3%). Unusually, US encounters only accounted for 2.8%.
“The combination of the wide variety of infection vectors and outcomes makes the Phorpiex botnet appear chaotic at first glance. However, for many years Phorpiex has maintained a consistent internal infrastructure using similar domains, command-and-control (C2) mechanisms, and source code,” Microsoft threat researchers note.
While the bot loader targets computers in Mexico and western Asia, its spam and extortion campaigns target multiple regions and languages.
“We observed Phorpiex operators requiring payment primarily through Bitcoin and Dash. Examples of one such cryptocurrency profit volume from a campaign in late February 2021 targeting English speaking users is below, with the subject ‘Payment from your account’,” says Microsoft.
The group made $13,000 in just 10 days using social engineering tricks like claiming in messages there were security bugs in Zoom. The scammers claimed the bug allowed them to capture video material, which they would use to extort victims.
Ransomware distribution possibly presents the greatest threat.
The Avaddon ransomware, distributed by Phorpiex, “performs language and regional checks for Russia or Ukraine before running to ensure only favored regions are targeted,” according to Microsoft.
Avaddon appears to be more of an automated type of ransomware than hands-on-keyboard operated ransomware. Avaddon usually demands a ransom of $700 worth of Bitcoin.