The cybersecurity landscape has been significantly disrupted by a surge of millions of phishing emails sent through the Phorpiex botnet. This wave of malicious activity is part of a large-scale LockBit Black ransomware campaign. Carefully crafted to exploit vulnerabilities in email security, this campaign targets unsuspecting recipients with deceptive messages that appear legitimate.
How the Attack Works
The New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) recently warned that attackers are distributing ZIP attachments containing executables. When these files are launched, they deploy the LockBit Black ransomware, encrypting the victim’s systems.
Related Read: Fulton County Falls Victim to the LockBit Ransomware Attack
These phishing emails, often with subject lines like “your document” and “photo of you???”, use aliases such as “Jenny Brown” or “Jenny Green” and originate from over 1,500 IP addresses worldwide, including Kazakhstan, Uzbekistan, Iran, Russia, and China.
Phishing email sample (Source: Proofpoint)
The infection process begins when a recipient opens the malicious ZIP archive and executes the binary inside. This executable downloads a LockBit Black ransomware sample from the Phorpiex botnet’s infrastructure and runs it on the victim’s system. Once active, the ransomware attempts to steal sensitive data, terminate services, and encrypt files.
Proofpoint has been monitoring these high-volume campaigns since April 24, 2024. They noted that the threat actors target companies across various industries worldwide. While this approach is not new, the sheer number of emails and the use of ransomware as a first-stage payload set this campaign apart.
LockBit Black Ransomware note (Source: Proofpoint)
The Phorpiex Botnet
Also known as Trik, the Phorpiex botnet has been active for over a decade. Initially, it spread via removable USB storage and messaging platforms like Skype and Windows Live Messenger. Over time, it evolved into an IRC-controlled trojan that used email spam delivery.
At its peak, the botnet controlled over 1 million infected devices. After years of development, its operators attempted to sell the malware’s source code on a hacking forum. The Phorpiex botnet has also been used for other malicious activities, such as delivering millions of sextortion emails and using a clipboard hijacker to replace cryptocurrency wallet addresses.
Within a year of adding crypto-clipping support, Phorpiex’s operators hijacked 969 transactions, stealing 3.64 Bitcoin (worth $172,300), 55.87 Ether (worth $216,000), and $55,000 in ERC20 tokens.
Defense Strategies
To combat phishing attacks that deliver ransomware, NJCCIC recommends implementing robust ransomware risk mitigation strategies. This includes using endpoint security solutions and email filtering tools, such as spam filters, to block potentially malicious messages before they reach users’ inboxes.
By staying vigilant and adopting comprehensive security measures, organizations can protect themselves from the ongoing threat posed by the Phorpiex botnet and similar ransomware campaigns.
Anas Hasan
May 14, 2024
1 year ago
