The Phorpiex botnet has been running for years now. He initially focused on distributing old-fashioned worms that spread through infected USB drives or through Internet Relay Chat (IRC) -based chats. Over the years, it has evolved to include a plethora of malicious activity ranging from extortion and spam to data exfiltration, ransomware attacks, and most recently sextortion.
For those unfamiliar with sextortion, it is an attack where the bad guys threaten the victims to distribute their private and sensitive materials if they do not give the extortionists sexual images, sexual favors, or money.
To help investigate and possibly avoid this threat, we’ve expanded a public list of Indicators of Compromise (IoC) so they can avoid accessing as many related web properties as possible.
What is known so far
At the time of analysis, a total of 1,279 IP addresses connected to Phorpiex robots had been published by IBM X-Force Exchange, although the list continues to grow. Here are some other interesting facts:
- Phorpiex botnet activity peaked on July 29, 2021.
- Almost 85% of spam from the Phorpiex botnet is sent on weekdays around 12:00 p.m.
- The actors behind the Phorpiex botnet extorted payments in the form of Bitcoins.
- Phorpiex operators earn between 50,000 and 160,000 USD per day.
New results from the Phorpiex botnet
While the botnet’s operators likely shut it down when its source code went on sale on the Dark Web, if someone buys it given its profitability, users could still be in danger of falling prey. . That said, we’ve expanded the list of IoCs to help them protect against the threat.
Executing the 1,279 malicious IP addresses through a bulk reverse IP lookup provided us with a list of 638 potentially connected domains that users should avoid accessing. Four of them (listed below) are qualified as malicious and should be blocked on networks:
Screen capture searches for the four malicious domains showed that three were unreachable at the time of the scan (i.e. the last three domains). The first domain shows what appears to be a login page for a security application.
The other 634 may require monitoring in case they are used to distribute malware related to Phorpiex, especially given their connection to malicious IP addresses on IBM’s list.
Subjecting all 638 domains to a bulk WHOIS search provided unmasked (i.e., not hidden behind privacy services) email addresses. These referred to 16 unique email addresses (some were used for multiple domains) that users can add to their blocklists.
Using the 16 email addresses as search terms for the historical reverse WHOIS lookups on Maltego gave us an additional IP address and 178 domains. While none of these are currently detected as dangerous, given their ties to the holders of the first set of domains (638 resulting from the bulk reverse IP lookup), they may at least be worth considering. monitored.
For users who want to keep a close eye on the entire list of web properties (including newly found artifacts), these facts can help prioritize:
We have seen the Phorpiex botnet survive for decades moving with the tide (changing tools, tactics and procedures [TTPs]) to ensure the success of the attack. And even if its original creators or operators appear to be retiring, their departure from the scene may not mean the botnet is dead.
Please feel free to contact us if you would like a copy of the full list of additional Phorpiex botnet extortion artifacts that we have found or to discuss potential security research collaborations.