Phorpiex Botnet Shifts Gears From Ransomware to Sextortion

sextortion campaign

A decade-old botnet is using infected computers to send out sextortion emails, in a wide-scale campaign with the potential to reach millions of victims.

A recent wide-scale campaign indicates that a decade-old botnet is shifting gears from distributing ransomware to delivering millions of sextortion threats to innocent recipients. Worse, researchers say that the botnet’s spam campaign can affect up to 27 million potential victims.

The botnet, Phorpiex, has been active for almost a decade and currently controls almost 500,000 computers globally. The botnet is known for distributing malware such as GandCrab as well as cryptocurrency miners on infected hosts. However, researchers with Check Point say the botnet has recently been spotted in a five-month campaign cashing in on a new form of revenue generation: Wide-scale sextortion.

“Phorpiex, a veteran botnet, has found a way to use [its infected computers] to generate easy income on a long term basis,” Check Point researchers said in a Wednesday analysis. “This new activity might be connected with the termination of Gandcrab, a ransomware that Phorpiex used to distribute, or just because plain-text emails still manage to infiltrate many cyber-defense lines. In any case, Phorpiex…is continuously propagating sextortion emails – by the millions.”

Sextortion is a type of attack where bad actors email spam messages to victims claiming to have sexual content and private data on the recipient — then, they demand a blackmail payment in exchange for not exposing the supposedly hacked data. Most of the time, the attackers are merely bluffing and hoping the intended victims will fall for the scare tactics.

The computers controlled by the Phorpiex botnet download a database of email addresses and corresponding credentials (likely acquired from Dark Web sites) from a command-and-control (C2) server. In the most recent campaign, researchers observed a downloaded database which contains up to 20,000 email addresses; but in various other campaigns, researchers said they observed between 325 and 1,363 email databases on the C2 server — racking up potentially millions of victims.

“The most interesting feature of the last spam campaigns is that the Phorpiex/Trik spam bot uses databases with leaked passwords in combination with email addresses,” said researchers. “A victim’s password is usually included in the email message; this exacerbates the threat by showing that the password is known to the attacker. For further shock value, the message starts with a string that contains the password.”

An email address is then randomly selected from this downloaded database, and a message is composed from several hardcoded strings.

sextortion botnet

Example of sextortion email sent – click to enlarge.

The emails generally start with the sender telling the victim one of their passwords (picked from the database). The email then says the victims’ computer was infected with private malware and that the sender recorded the victim. The email threatens to publish all private data collected online and to the emails of the victim’s contacts – unless they are paid $800 in Bitcoin.

The spam bot can produce a large number of these spam emails – up to 30,000 per hour, researchers said.

To send emails, the spam bot uses the Simple Mail Transfer Protocol (SMTP), the standard protocol for email services on a TCP/IP network.

In the five-month period that they have been monitoring this operation, researchers said that they recorded transfers of more than 14 Bitcoin to the Phorpiex campaign’s wallets; that has a current value of more than $110,000 or $22,000 per month.. While researchers said the number “may not sound like a lot,” for a low-maintenance operation requiring only a large credentials list and the occasional wallet replacement, it’s certainly not chump change.

“Given the number of incoming transactions to these wallets, we can also estimate the total number of victims affected by this campaign,” researchers said. “Therefore, we can conclude that approximately 150 victims paid the blackmail demand over the span of five months. Considering the number of emails that the spam bot is capable of generating, despite the low numbers of payments received, this still means this simple scam technique was successful.”

What are the top cybersecurity issues associated with privileged account access and credential governance? Experts from Thycotic on Oct. 23 will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.

Suggested articles