Phorpiex (Trik) Botnet
Phorpiex (also known as Trik) is a modular botnet with worm functionality, which distributes ransomware payloads, cryptocurrency miners and spam.
Summary
Phorpiex (also known as Trik) is a modular botnet with worm functionality, which distributes ransomware payloads, cryptocurrency miners and spam.
Affected platforms
The following platforms are known to be affected:
Threat details
Introduction
Delivery and Activities
Phorpiex enrols new systems into its botnet by distributing a backdoor module in spam emails sent from previously compromised systems. These emails typically contain malicious ZIP or other archive file attachments disguised as image files. When opened, the attachments deploy a preliminary loader which downloads Phorpiex onto the host device. Reports also indicate Phorpiex may be distributed via drive-by-download or through spoof image download sites.
Phorpiex also has a self-replication mechanism, spreading via removable USB drives on a compromised system. It performs checks to detect connected removable drives, then copies the backdoor and its file configurations, along with a LNK file to run the malware, into a series of hidden folders on any connected drives.
Once executed, Phorpiex performs checks on the host system, terminating if it detects a sandbox or virtual environment. It also checks its host’s regional settings and terminates if an excluded region is detected. In attempt to achieve persistence on the host system, Phorpiex modifies registry keys, adding its executables to authorised application lists and setting them to run at startup. It will also attempt to disable firewall and antivirus services.
Phorpiex connects to a command and control (C2) infrastructure to download updates and any additional modules. These modules are used to provide the following capabilities:
- ransomware and malware distribution
- worming functionality
- mailing botnet
- cryptocurrency mining
Data collected by these modules is regularly uploaded to the C2 servers. Phorpiex’s C2 infrastructure often uses domain generation algorithm (DGA) domains as a means of defence evasion.
Phorpiex has been observed delivering BitRansom and Avaddon ransomware in recent campaigns, either via it’s spam mailing functionality or directly to enrolled systems. The botnet will also distribute spam email to enrolled devices, referencing illicit content of affected users in an attempt to extort them for payment. Since 2019, Phorpiex has installed the XMRig mining application as a module and has recently added additional cryptocurrency miners. Most variants of Phorpiex also have clipboard-clipping functionality which redirects cryptocurrency payments to the attacker’s cryptocurrency wallet.
Remediation advice
To prevent and detect an infection, NHS Digital advises that:
- Secure configurations are applied to all devices.
- Security updates are applied at the earliest opportunity.
- Tamper protection settings in security products are enabled where available.
- Obsolete platforms are segregated from the rest of the network.
- IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
- Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
- Administrative accounts are only used for necessary purposes.
- Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
- Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.
- Monitor and control removable USB drives and devices, blocking their use unless deemed necessary.
Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.
Indicators of compromise
Last edited: 27 May 2021 3:05 pm