Phorpiex

Phorpiex is a group of worms that affects computers running the Windows operating system. These worms have been around for several years and present a severe threat to an infected computer. Keep your anti-malware solution always updated with the latest virus definitions in order to protect your computer from variants in the Phorpiex family. Phorpiex worms tend to spread using removable memory devices and Autorun exploits, a common tactic of many worms. Phorpiex variants are also designed to use the Windows Live Messenger and other instant messaging applications in order to spread from one computer to another. The main payload for most Phorpiex variants is creating a backdoor into the infected computer which then allows criminals to control the infected computer from a remote location.

This Week In Malware Ep16 Pt2: Phorpiex Botnet Spreading Ransomware via MalSpam Campaigns

Phorpiex was documented by cybersecurity researchers for the first time in February 2016, although this threat exists for much longer on the malware market. Often referred to as an "IRC worm," in 2016 Phorpiex spread over live chat in Windows Messenger and Skype, as well as through USB storage drives. In the following years, new versions of the malware started infecting machines through spam email campaigns and weakly protected RDPs, but the overall architecture and functions of the worm remained the same. Currently, Phorpiex, also known as Trik botnet (not to be confused with TrickBot banking Trojan, which is a different threat), is known for dropping a broad range of malicious payloads on target computers, including some of the most dreadful ransomware threats and cryptocurrency miners.

Worms like Phorpiex are designed to hide themselves, not alerting their victims of the presence of the infection. In this way, Phorpiex can operate in the background to allow criminals to take over the infected computer and use it from their own devices. It is possible to detect the presence of Phorpiex by being aware of common system changes associated with Phorpiex and other worms. For example, as with other worms that exploit the Autorun functionality in removable memory devices, it is possible to determine that a removable memory device carries the Phorpiex infection because it will suddenly contain hidden files and folder icons that are actually cleverly disguised shortcuts that lead to the Phorpiex's executable files. Some files associated with Phorpiex include executable files with names such as windsrcn.exe, winmgr.exe, winsam.exe and winsrvc.exe. The Phorpiex worm and its variants will also change the infected computer system's registry to ensure that this file runs automatically upon start-up, disguising the malicious registry edit as a 'Microsoft Windows Update'.

Phorpiex is a serious cyber-security threat as it can send tremendous volumes and pack an infection chain that is rarely observed by researchers and can only be compared to some of the biggest documented Emotet attacks. The worm has now been caught in over 1.4 million malicious email messages in 2019 alone, with the biggest part of this campaign launching since the beginning of April 2019.

Phorpiex/Trik Botnet Has a Simple Structure

Some of the first described samples of Phorpiex revealed that this worm is not particularly sophisticated and could be reverse-engineered easily. In 2016, it had a simple technique to evade virtual machines, and that seemed to be its only anti-detection feature. The anti-VM code has been removed from most of the samples analyzed in 2018 and 2019, yet some samples retained it. Some samples modify the Windows registry in order to disable anti-virus and firewall protection, while affected registry values include: UpdatesOverride, AntiVirusOverride, AntiVirusDisableNotify, FirewallOverride, FirewallDisableNotify, and AutoUpdateDisableNotify. Phorpiex/Trik does not hide itself very well, and its malicious files can be easily recognized on the hard disk as they are not obfuscated.

Phorpiex/Trik botnet operators mainly instruct it to do three things:

• Download and run other malware threats on target computers

• Acquire unauthorized access through poorly protected protocols by checking popular login/password combinations on a list of servers

• Spread malicious executables by email


Phorpiex/Trik Botnet Is Known for Deploying GandCrab Ransomware

Since 2018, a new variant of Phorpiex/Trik botnet pops up and, according to researchers, the infamous GandCrab ransomware is at the heart of these recent campaigns. Now, the malware focuses on targeting corporate networks that operate server-side remote access applications without adequately protecting their protocols. Therefore, a typical victim would be a large organization that offers remote-work options to their employees. 

To initiate an attack, Trik would scan the web for Remote Desktop Protocols (RDPs) and Virtual Network Computing (VPN) endpoints via port 5900. Then, it would launch brute-force attacks against random picks, testing a list of popular username and password combinations until it penetrates endpoints where such weak credentials have been implemented, and the protocols have not been adequately protected. Trik botnet would then use these compromised endpoints as a means to infect the entire corporate network with malware.

Phorpiex Worm Can Sneak Through Malicious Zip-File Attachments

Some of the recently analyzed samples also spread through phishing emails with attached zip files. Once an unsuspecting user launches the javascript file that is inside the zip, the Phorpiex worm loads, followed by GandCrab ransomware, Ursnif ISFB (Gozi) banking Trojan, and a cryptocurrency miner known as CryptoNight XMRig. The obfuscated javascript in the zip file launches the Windows script host (wscript.exe) to leverage powershell, and it downloads an executable named "good.exe" from a server located in the Russian Federation.

The good news for users is that Phorpiex/Trik spam emails are easy to recognize as they follow the same pattern each time. The addresses from which they are sent have the same structure: bogus names followed by two numbers@ four random numbers.com, for example, "Bonita Rogers ." The email subject varies, but the body always contains the same smiley emoji and an attached zip file with a name that suggests the content consists of JPG files, for example, "PIC642985002-JPG.zip.

The most common source of a Phorpiex infection involves connecting an infected removable drive to your computer. To ensure that its files are open, Phorpiex sets the infected drive's folders to hidden and then creates fake folder icons with the same names. These folder icons are actually shortcuts to Phorpiex's executable file. The other most common way Phorpiex spreads is by convincing victims to click on links distributed in malicious instant messages that are sent automatically from infected computers. ESG security researchers have observed variants of malicious instant messages in multiple languages, all containing a variant of Phorpiex.