This article was originally published
on the AppRiver blog.
There are few botnets with the capability to send tremendous volumes and pack an infection chain as malicious as the Phorphiex Worm/Trik botnet this year.
For 2019, the Mealybug threat group has garnered the most media attention
with Emotet attacks. However, the Phorpiex/Trik botnet is not to be easily outdone. AppRiver filters have captured more than 1.4 million directly attached malicious messages this year, with 847,947 of those messages arriving since April 4, 2019.
Phorphiex also known as Trik Botnet (SDBot Fork)
The Phorphiex worm is a decade-old worm which historically spread via live chat (Windows Messenger / Skype) and USB storage drives. Most recently it made news due to a leaky server
which revealed 43,555,741 unique email addresses spread across 4.6 million domains. Lately it has been tracked via the alternative name of Trik (SDBot Fork), but should not to be confused with the Trickbot banking trojan.
Trik uses IRC for it's command and control communication and contains the ability to download and run additional exectubles, brute force email credentials, and utilize infected systems to further propagate spam and malicious payloads.
The sample we inspected contained the ability to disable anti-virus and firewall protection by modifying the Windows registry values: AntiVirusOverride, UpdatesOverride, FirewallOverride, AntiVirusDisableNotify, UpdatesDisableNotify, AutoUpdateDisableNotify, & FirewallDisableNotify.
It also contains basic anti-analysis capabilities to determine if it's in a malware research environment. Methods include comparing running processes to known analysis tools, checking folder names, user names, using the FindWindow API, and checking for debugging via the IsDebuggerPresent function.
Trik Botnet Phishing Emails
The best thing going for users is that Trik spam emails are relatively simple to recognize. The sending addresses utilize a bogus name followed by two random numbers @ then four random numbers.com.
These names and numbers used for the spam emails are hardcoded lists into Trik and follow a basic structure. The subjects vary, however, for this campaign the body contains the same smiley emoji and attachment naming format of PIC#'s-JPG.zip.
Initial Payload (1.exe) - Gandcrab Ransomware v5.2
Gandcrab is the most widely distributed ransomware via email so far this year. The authors, known by some researchers as Pinchy Spider, continuously update it to help avoid anti-virus detection. It is a Ransomware-as-a-Service (RaaS) business model. Pinchy Spider takes a 60-70% cut from profits for actors who utilize the software.
New ransomware senders can also pay Pinchy Spider $100 for up to 200 victims during a two-month period. In addition, it's available to license for $1200
. This allows more skilled attackers to utilize their own logo and update the code as needed to help avoid detection. Since many different actors use Gandcrab, demanded ransom amounts vary widely but have been documented anywhere from $250 to over $400,000
Decryption software exists for many versions prior to 5.2
but there is no way to currently decrypt this version for free. Version 5.2 was likely released in response to the decryption tool becoming publicly available.
Cryptojacking Payload (2.exe) - CryptoNight XMRig Miner
a machine is simply the unauthorized use of someone else's machine to mine cryptocurrency. Chaining a cryptocurrency miner into an attack that already includes ransomware, and a banking trojan ensures profitability for the malicious actor.
Open source software XMRig
allows mining for Monero cryptocurrency via CPU or GPU hardware. Bitcoin requires the more expensive GPU hardware to effectively mine the currency. However, the CryptoNight XMRig algorithm favors CPU's, malicious actors gain a higher monetary gain for successful attacks.
Captured JSON Login Communication - Sent to 220.127.116.11:7575
(Windows NT 6.1; Win64; x64) libuv/1.20.3 gcc/8.2.0","algo":["cn/r","cn/wow","cn/2","cn/1","cn/0","cn/half","cn/xtl","cn/msr","cn/xao","cn/rto","cn/gpu","cn"]}}.
Banking Trojan Payload (4.exe) - Ursnif / Gozi ISFB
Ursnif / Gozi is one of the top global threats as a banking trojan with global distribution since 2007. The original Russian author, Nikita Kuzmin, was caught then court ordered
$6.9 million in restitution along with serving 37 months in prison before being released under undisclosed terms.
Since then the Gozi source code has been leaked, improved, and new features added. The current version is now known as Ursnif / Gozi ISFB and is located on GitHub for anyone
to utilize. The attacks we see most often (beside Trik campaigns) are the Dark Cloud botnet
distributing it in the form of conversation hijacking attacks
or fake resumes
. However, many groups mobilize the trojan due to it's evasive capabilities for avoiding detection and analysis.
Major ISFB stealer functionalities:
- Capturing Screen Shots & Video of activity being conducted on the system
- Extracting browser cookie information preserving the structure directories
- Retrieve Certificates stored in the Windows system store
- Harvest email credentials
- Use browser APIs to hook calls & serve up substitutions (phishing sites) of legitimate banking sites
- Capture FTP Credentials
Indicators of Compromise (IOC):
Main object - "PIC074780520-JPG.js:"
Dropped Executable File:
sha256 C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K78MRVB5\1.exe
sha256 C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D2U1WPAC\2.exe