Phorpiex is a decade-old botnet, but it remains resilient by adapting to new threats and evolving its infrastructure, in an approach that researchers say points to why botnets overall continue to drive a huge portion of the malware economy.
At its peak, Phorpiex controlled more than a million infected hosts, and the botnet continues to maintain a large network of bots and launch wide-ranging malicious activities. The botnet's operators are driving this perseverance by consistently revamping its types of malicious activities, veering to a more global distribution model and moving its command-and-control (C2) architecture away from traditional hosting to embrace domain generation algorithm (DHA) domains, said Microsoft in a Thursday report.
“Phorpiex... demonstrates that bots, which are some of oldest types of threats, continue to affect consumer users but notably brings increasingly more serious threats to enterprise networks,” said researchers with the Microsoft 365 Defender Threat Intelligence Team. “Despite being traditionally associated with lower-risk activity like extortion and spamming, Phorpiex operators’ decision to move to more impactful malware and actions is entirely at the whim of the attackers.”
The Resiliency of Phorpiex
The botnet, first uncovered in 2010, is known for extortion campaigns - where attackers threaten to publish explicit information about the victim unless they pay - and using old-fashioned worms that were spread via removable USB drives and instant messaging apps. Phorpiex’s tactics, techniques, and procedures (TTPs) have remained largely unchanged, with attackers relying on common commands, filenames, and execution patterns over the last year, said researchers.
What has changed, however, is the botnet’s geographic targeting: This has grown from focusing primarily on victims in Japan to the bot loader being observed in 160 countries between December through February, with the most encounters in Mexico, Kazakhstan and Uzbekistan.
When it comes to operations, the botnet continues to find success in extortion campaigns, with Phorpiex operators accumulating over $13,000 in 10 days in a February campaign, for instance. Attackers have capitalized on this success by fine-tuning their extortion lures to keep up with the times - recently, for instance, Phorpiex extortion messages honed in on the booming remote workforce by including claims that flaws in popular teleconferencing applications, like Zoom, were what allowed them to capture their extortion material.
However beyond these extortion campaigns, researchers said starting in 2018 they observed an increase in data-exfiltration attacks and ransomware delivery by the Phorpiex operators. In the summer of 2020, for instance, the botnet started to spread the BitRansomware and Avaddon ransomware families. Cryptocurrency mining malware is another new functionality that Phorpiex has embraced, in 2019 starting to use an XMRig miner to monetize its hosts for Monero. As of February, the botnet also downloaded additional Ethereum miners and created variants with a “cryptocurrency-clipping functionality” accompanying the installation of the loader.
“In these instances, the malware checks clipboard values for a valid cryptocurrency wallet ID. If it finds one, it sets its own hardcoded value,” said researchers. “This method allows attackers to profit from existing mining installations or prior malware without having to bring in new software or remove old instances.”
In another recent development, Phorpiex started shifting its C2 architecture to utilize DGA domains. Attackers utilize DGAs in order to quickly generate a list of domains that can be used for malware’s C2 servers. DGAs allow attackers to quickly switch the domains that they’re using for the malware attacks - ultimately making it harder for defenders to protect against attacks.
“In a very recent development, we observed that most Phorpiex bot loader malware have abandoned branded C2 domains and have completely moved to using IPs or DGA domains,” said researchers. “However, as in the past, the operators neglected to register all the potential sites that the DGA domains resolve to.”
The Future of Phorpiex
Researchers believe that Phorpiex will continue to evolve, pointing to recent findings that indicate that the botnet operators are actively developing a new loader and novel monetization strategies.
“In December 2020 and January 2021, we observed non-weaponized staging of Knot ransomware on Phorpiex servers,” said researchers. “In February, we also detected commodity malware such as Mondfoxia (also known as DiamondFox) in these servers.”
Botnets, like Mirai, have proven lucrative to cybercriminals as they provide large and diverse networks of compromised machines to deliver payloads at low costs. Phorpiex illustrates that even older botnets continue to pave the way for newer, modular delivery mechanisms, said researchers.
Our many years of experience analyzing, monitoring, and even working with law enforcement and other partners to take down botnets tell us that alternative infrastructures rise as attackers try to fill in the void left by disrupted botnets," said researchers. "Typically, new infrastructures are born as a result of these movements, but in the case of Phorpiex, an established botnet adapts and takes over.