Phorpiex botnet made $115,000 in five months just from mass-spamming sextortion emails

Sextortion emails look silly for the most of us, but there are many users who take them at face value and pay up.

Make money

Getty Images/iStockphoto

Researchers at cyber-security firm Check Point say they've tracked one of the sources of the recent rise in sextortion emails to a good ol' friend -- the Phorpiex spam botnet, also known as Trik.

Check Point says that since April, they've seen the botnet send out multiple spam campaigns with a "sextortion" lure -- claiming to have compromising images or videos of the email recipient, and requesting a ransom demand.

According to a report shared with ZDNet last week, some of these mass-mailed sextortion waves peaked at 27 million emails per campaign, with some of the Phorpiex-infected computers sending out up to 30,000 sextortion emails per hour -- when the botnet was maxing out.

In the five-month period Cheak Point tracked Phorpiex's sextortion campaigns, victims sent more than 14 bitcoin (~$115,000) to the Bitcoin addresses spotted inside the sextortion emails, Check Point researchers told ZDNet in an email.

These profits would be more than enough to cover the botnet's operation costs, Alexey Bukhteyev, Reverse Engineer at Check Point, told ZDNet.

A short history of the Phorpiex malware

Currently, Bukhteyev put the Phorpiex botnet's size at around 450,000 infected Windows computers. This puts Phorpiex in the category of medium-sized malware botnets.

The Phorpiex trojan was first seen more than a decade ago. In its early days, the malware worked as a worm that self-propagated via removable USB storage devices, Skype, or Windows Live Messenger private messages.

These initial worm-based variants were tracked under the name of Phorpiex. Nowadays, the botnet is more often referred to as Trik (not to be confused with a different botnet known as The_Trick).

This new name came after the Phorpiex authors forked and integrated the codebase of the older SDBot trojan into the Trik/Phorpiex versions we see today.

Even since its early days, the Phorpiex gang has always used infected computers to send email spam, rather than steal data from infected hosts, or deploy second-stage malware as part of a rentable pay-per-install malware-as-a-service operation.

For most of its lifetime, Phorpiex was a small player, compared to other spam botnets. This changed in May 2018 when the retooled Phorpiex version became a major player on the spam scene, according to a Proofpoint report published at the time.

Historically, the Phorpiex spam bots have been seen pushing almost all major malware variants, from banking trojans to ransomware, and from infostealers to shady pharmaceutical product spam.

In hindsight, Phorpiex getting involved in the recent trend of sextortion email spam campaigns isn't really a surprise, since it's right up their alley and area of expertise.

Phorpiex scared users by showing one of their passwords

And the most interesting part of Phorpiex's recent sextortion email campaigns is that the sextortion emails didn't just claim they had sexual videos of the victim, but they also claimed to have one of the victim's passwords.

phorpiex-sextortion.png

Image: Check Point (supplied)

Bukhteyev told ZDNet that while analyzing the veridity of these claims he discovered that all the email addresses used in the sextortion campaigns were also present in the Have I Been Pwned database.

The researcher suggests the email+password combos most likely came from past data breaches at various companies, data that made it into the public domain, and eventually into the Phorpiex gang's hands.

"However, it doesn't mean that they don't use other databases," Bukhteyev told ZDNet.

Of note is that in June 2018, the Phorpiex botnet suffered a data breach itself when the Phorpiex operators forgot to secure one of their command and control servers, leaking a database of more than 43 million email addresses they were using to spam users.