Skip to main content

Phorpiex (Trik) Botnet

Phorpiex (also known as Trik) is a modular botnet with worm functionality, which distributes ransomware payloads, cryptocurrency miners and spam.

Threat ID:
CC-2484
Category:
Worm, Botnet
Threat Severity:
Medium
Threat Vector:
Email spam
Published:
27 May 2021 12:13 PM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Phorpiex (also known as Trik) is a modular botnet with worm functionality, which distributes ransomware payloads, cryptocurrency miners and spam.

Affected platforms

The following platforms are known to be affected:

Versions: all supported

Microsoft Windows

Threat details

Introduction

First observed in 2010, Phorpiex (also known as Trik) is a modular worm and botnet used for delivery of other payloads and in extortion campaigns. It propagates via emails containing malicious attachments and can also spread through removable USB drives.

Delivery and Activities

Phorpiex enrols new systems into its botnet by distributing a backdoor module in spam emails sent from previously compromised systems. These emails typically contain malicious ZIP or other archive file attachments disguised as image files. When opened, the attachments deploy a preliminary loader which downloads Phorpiex onto the host device. Reports also indicate Phorpiex may be distributed via drive-by-download or through spoof image download sites.

Phorpiex also has a self-replication mechanism, spreading via removable USB drives on a compromised system. It performs checks to detect connected removable drives, then copies the backdoor and its file configurations, along with a LNK file to run the malware, into a series of hidden folders on any connected drives.

Once executed, Phorpiex performs checks on the host system, terminating if it detects a sandbox or virtual environment. It also checks its host’s regional settings and terminates if an excluded region is detected. In attempt to achieve persistence on the host system, Phorpiex modifies registry keys, adding its executables to authorised application lists and setting them to run at startup. It will also attempt to disable firewall and antivirus services.

Phorpiex connects to a command and control (C2) infrastructure to download updates and any additional modules. These modules are used to provide the following capabilities:

Data collected by these modules is regularly uploaded to the C2 servers. Phorpiex’s C2 infrastructure often uses domain generation algorithm (DGA) domains as a means of defence evasion.

Phorpiex has been observed delivering BitRansom and Avaddon ransomware in recent campaigns, either via it’s spam mailing functionality or directly to enrolled systems. The botnet will also distribute spam email to enrolled devices, referencing illicit content of affected users in an attempt to extort them for payment. Since 2019, Phorpiex has installed the XMRig mining application as a module and has recently added additional cryptocurrency miners. Most variants of Phorpiex also have clipboard-clipping functionality which redirects cryptocurrency payments to the attacker’s cryptocurrency wallet.

Remediation advice

To prevent and detect an infection, NHS Digital advises that:

  • Secure configurations are applied to all devices.
  • Security updates are applied at the earliest opportunity.
  • Tamper protection settings in security products are enabled where available.
  • Obsolete platforms are segregated from the rest of the network.
  • IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
  • Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
  • Administrative accounts are only used for necessary purposes.
  • Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
  • Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.
  • Monitor and control removable USB drives and devices, blocking their use unless deemed necessary.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Network indicators

IP addresses

  • 45[.]182[.]189[.]251
  • 45[.]66[.]156[.]175
  • 45[.]66[.]156[.]176
  • 51[.]15[.]42[.]19
  • 62[.]210[.]177[.]189
  • 87[.]120[.]37[.]156
  • 87[.]120[.]37[.]234
  • 87[.]120[.]37[.]235
  • 92[.]63[.]197[.]106
  • 92[.]63[.]197[.]112
  • 92[.]63[.]197[.]153
  • 92[.]63[.]197[.]38
  • 92[.]63[.]197[.]48
  • 92[.]63[.]197[.]59
  • 92[.]63[.]197[.]60
  • 94[.]156[.]133[.]65
  • 95[.]81[.]1[.]43
  • 112[.]126[.]94[.]107
  • 123[.]56[.]228[.]49
  • 124[.]158[.]10[.]82
  • 125[.]212[.]217[.]30
  • 125[.]212[.]217[.]33
  • 127[.]181[.]87[.]80
  • 130[.]185[.]250[.]214
  • 154[.]35[.]175[.]225
  • 172[.]104[.]40[.]92
  • 183[.]81[.]171[.]242
  • 185[.]176[.]27[.]132
  • 185[.]189[.]58[.]222
  • 185[.]215[.]113[.]10
  • 185[.]215[.]113[.]8
  • 185[.]215[.]113[.]93
  • 193[.]32[.]161[.]69
  • 193[.]32[.]161[.]73
  • 193[.]32[.]161[.]77
  • 210[.]211[.]116[.]246
  • 213[.]32[.]71[.]116
  • 220[.]181[.]87[.]80

Domains

  • feedmefile[.]top
  • gotsomefile[.]top
  • thaus[.]to
  • thaus[.]top
  • thaus[.]ws
  • tldrbox[.]com
  • tldrbox[.]top
  • tldrbox[.]ws
  • tldrhaus[.]top
  • tldrnet[.]top
  • tldrzone[.]com
  • tldrzone[.]top
  • tsrv1[.]com
  • tsrv1[.]ws
  • tsrv2[.]top
  • tsrv2[.]ws
  • tsrv3[.]ru
  • tsrv3[.]ws
  • tsrv4[.]ws
  • tsrv5[.]top
  • vitamind[.]top
  • w4tw4tw4tw4t4[.]jo
  • worm[.]ws
  • xmrupdtemall[.]top
Host indicators

MD5 hashes

  • 051356bee1541f592d66969af46feb95
  • 0d7f456f908565fb547438cb402a4eff
  • 1462114257a6fcc52a8782c2a2616009
  • 1727de1b3d5636f1817d68ba0208fb50
  • 1f4447c12a0b8f99c1ce5b748c762a9f
  • 20ef08bdae07f3494e20195e65d7b7f5
  • 2c50efc0fef1601ce1b96b1b7cf991fb
  • 2d33fd32d8ec7b7d0ed379b80a167ff4
  • 383498f810f0a992b964c19fc21ca398
  • 49d218a1a09ba212e187dc2de923ba62
  • 53cb3f1e57fbd596463d164d1ca79a14
  • 58198a2ebac604399c3e930207df47f1
  • 5b046452db5836deb47e359b4462ee16
  • 5c17496674a49f7ebaa44c5b33d32ae4
  • 5c79b524fb8d9bb4e9a3d79fe543c011
  • 646c630aa377f414e1e6820916952e1e
  • 64990a45cf6b1b900c6b284bb54a1402
  • 6628c07aadd53f34357b9b63e07d62b8
  • 69076366f1a1bd622c0d813709f29e4a
  • 790b14490eb56622f3cfa768887fcb08
  • 7f52a1c1d63053bcf02c6225e4245345
  • 82eecd3b80caa7d0f51aba4ee8149c1a
  • 8887f6f532a489fcab28eba80185337b
  • 8a74d531fa839caf056a7a9c24237cd7
  • 8f9b7c1c2b84b8c71318b6776d31c9af
  • 9398682b9740d15dfb7b2996364cd979
  • 9434796df2d62e4f666525419db86d18
  • 97835760aa696d8ab7acbb5a78a5b013
  • 99a349f6b758c80e9a1b88d1895e7790
  • 9af3d711fd4733181fcd78796dd21cfa
  • a0039fbc46f2e874f2e4151712993343
  • a24bb61df75034769ffdda61c7a25926
  • a267bf9e58726a34a91c365b61e1424a
  • a2d30294e59cd15304d071c396618fa7
  • a8ab5aca96d260e649026e7fc05837bf
  • aa0d8b2506376c95ba314e14f08a9b49
  • af1cf2281597aba08e40cf7c030d71a9
  • afe348ff22ad43e98ee7ab19a851b817
  • b5dffcdf23ea0365c0bbf6e70983d351
  • b69270ee30bd20694948dba6c09ead7f
  • ba24a030bd4d4b89a6ad16249d1674c2
  • c58bd54c962d4e236e770df983fd2329
  • c63a7c559870873133a84f0eb6ca54cd
  • cc89100f20002801fa401b77dab0c512
  • d7cfd3b8d83ca0af1518267a15f9c249
  • d85dcfd49b8e259f4135fa9f021f250a
  • d9e59a4295926df49c8d6484aa6b8305
  • e24b40197da64a4baa9a81cc735e839b
  • e5aea3b998644e394f506ac1f0f2f107
  • f0c7f0823de1a9303aa26d058c9951a0
  • f1a69224571f7749f261fd8c08d6d8cb
  • f3dcf80b6251cfba1cd754006f693a73
  • f8c110929606dca4c08ecaa9f9baf140
  • fc729a08001392406565808408cf6166

Registry key changes

  • \FirewallPolicy\StandardProfile\AuthorizedApplications\List
  • \Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services
  • \Microsoft\Security Center\AntiVirusOverride
  • \Microsoft\Security Center\AntiVirusDisableNotify
  • \Microsoft\Security Center\FirewallOverride
  • \Microsoft\Security Center\FirewallDisableNotify
  • \Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
  • \Microsoft\Security Center\UpdatesOverride
  • \Microsoft\Security Center\UpdatesDisableNotify
  • \Microsoft\Windows NT\CurrentVersion\SystemRestore
  • \Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
  • \Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
  • \Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
     

Last edited: 27 May 2021 3:05 pm