May 25, 2021

Phorpiex, a botnet known for extortion campaigns, has started diversifying its infrastructure. The botnet has now become more resilient and spreads more dangerous payloads. According to Microsoft, it now maintains a large network of bots and performs malicious activities across new geographies. What has happened? Since 2018, the botnet has been observed to be conducting data exfiltration and ransomware delivery activities. Traditionally, it performed extortion and spamming activities, however, now it is focusing on cryptocurrency mining as well. Phorpiex is spreading several ransomware families such as Nemty, Knot, BitRansomware (DSoftCrypt/ReadMe), GandCrab, Avaddon, and Pony. The botnet’s geographic targeting has changed too. Previous campaigns aimed at Japanese targets, while recent activities focus on global distribution. Its tactics, techniques, and procedures stayed largely the same, with common filenames, execution patterns, and commands nearly consistent from early 2020 to date. However, the botnet has shifted some of its previous C2 architecture away from its usual hosting. It now prefers domain generation algorithm domains over static domains. Additional insights Phorpiex can propagate via several infection vectors, such as being loaded by other malware, unwanted programs, freeware, or via phishing emails from already-infected bots. From December 2020 to February, it was spotted in 160 countries, including Mexico (8.5%), Kazakhstan (7.8%), and Uzbekistan (7.3%), while the U.S. accounted for only 2.8% of attacks The bot can disable Microsoft Defender antivirus to establish persistence on target machines. It can modify registry keys to disable antivirus and firewall functionality or popups. The malware used social engineering tricks to lure its victims, such as sending messages about security bugs in Zoom and earned around $13,000 in just 10 days. Conclusion The combination of multiple infection vectors, along with recent changes, makes this botnet complex and dangerous. Though, for many years, the Phopiex botnet has had the same internal infrastructure with C2 mechanisms and source code. Experts suggest organizations have a reliable anti-malware solution and keep an eye on emerging threats.