Phorpiex enrols new systems into its botnet by distributing a backdoor module in spam emails sent from previously compromised systems. These emails typically contain malicious ZIP or other archive file attachments disguised as image files. When opened, the attachments deploy a preliminary loader which downloads Phorpiex onto the host device. Reports also indicate Phorpiex may be distributed via drive-by-download or through spoof image download sites.
Phorpiex also has a self-replication mechanism, spreading via removable USB drives on a compromised system. It performs checks to detect connected removable drives, then copies the backdoor and its file configurations, along with a LNK file to run the malware, into a series of hidden folders on any connected drives.
Once executed, Phorpiex performs checks on the host system, terminating if it detects a sandbox or virtual environment. It also checks its host’s regional settings and terminates if an excluded region is detected. In attempt to achieve persistence on the host system, Phorpiex modifies registry keys, adding its executables to authorised application lists and setting them to run at startup. It will also attempt to disable firewall and antivirus services.
Phorpiex connects to a command and control (C2) infrastructure to download updates and any additional modules. These modules are used to provide the following capabilities:
Data collected by these modules is regularly uploaded to the C2 servers. Phorpiex’s C2 infrastructure often uses domain generation algorithm (DGA) domains as a means of defence evasion.
Phorpiex has been observed delivering BitRansom and Avaddon ransomware in recent campaigns, either via it’s spam mailing functionality or directly to enrolled systems. The botnet will also distribute spam email to enrolled devices, referencing illicit content of affected users in an attempt to extort them for payment. Since 2019, Phorpiex has installed the XMRig mining application as a module and has recently added additional cryptocurrency miners. Most variants of Phorpiex also have clipboard-clipping functionality which redirects cryptocurrency payments to the attacker’s cryptocurrency wallet.