Phorpiex worm pivots to infect the enterprise with GandCrab ransomware

Internet-facing endpoints are exposing businesses worldwide to a botnet which is now being used in targeted ransomware campaigns.
Written by Charlie Osborne, Contributing Writer

An established botnet and worm malware variant is engaged in a new campaign designed to infect the enterprise with GandCrab ransomware.

Phorpiex/Trik is not sophisticated. Not to be confused with the TrickBot banking Trojan, the malware -- first discovered in 2016 -- has been tracked in recent years as a distributor for malicious payloads including GandCrab, Pushdo, Pony, and cryptocurrency mining malware.

The malware focuses on infecting Windows devices and attempts to propagate through USB drives, removable storage, and spam.

"Phorpiex as a malware family has been around for several years and hasn't changed much in purpose, functionality, or code," researchers from InQuest say. "The malware itself is not incredibly advanced, has minimal evasion techniques, is often not packed during delivery, and is not very subtle when it comes to dropping files on disk or using hard-coded strings where more advanced malware families would be using randomized characters."

Little may have changed in many years, but security researchers from SecurityScorecard have now uncovered a new variant of the malware which focuses on the deployment of ransomware against organizations worldwide.

The variant in question has been given the ability to target PCs and endpoints in corporate networks which are operating server-side remote access applications with poorly-implemented protocols.

"With increasing numbers of companies offering remote-work options to their employees, many corporate endpoints may be running these applications," the company said.

Phorpiex/Trik will scan the web for Internet-facing Remote Desktop Protocol (RDP) and Virtual Network Computing (VNC) endpoints, via port 5900. In random order, these endpoints are then targeted with brute-force attacks.

The botnet tests a number of weak user and password combinations, including "12345678," "admin," "qwerty," "servidor," and "vnc123." If weak credentials are in use and the protocols have been poorly implemented, the botnet will infiltrate the system and use the endpoint as a means to install malware on corporate networks.

In an interview with ZDNet, Paul Gagliardi, director of threat intelligence at SecurityScorecard said the ransomware at the heart of the new campaign is GandCrab, a particularly virulent form of ransomware which has claimed tens of thousands of victims worldwide.

Once this ransomware strain has infected a system, files are encrypted and victims are coerced into paying ransoms of anything from a few hundred dollars to several thousand.

This week, version 5 of the ransomware was released which demands payment in the Dash or Bitcoin cryptocurrencies. However, the Phorpiex/Trik campaign appears to be spreading version 4 at present.

Read on: Remove ransomware infections from your PC using these free tools | Hit by ransomware? This new free decryption tool for GandCrab might help

In order to track the variant, the security ratings firm created a number of sinkholes based on inactive Phorpiex domains. The team also established honeypots, masquerading as infected devices and requesting instructions from the command-and-control (C2) server.

In total, 68,000 unique IP addresses have been tracked as infected with Phorpiex/Trik, but Gagliardi says this is only a "small percentage" associated with the botnet.

CNET: New ransomware can turn your computer into a hacker's tool

The security researcher said that that the deployment of ransomware is an interesting find for this botnet as this can be considered akin to "blowing their cover" on corporate networks. After all, as ransomware typically locks down computer systems, encrypts files and demands a payment, it is "obvious you were there" as a threat actor.

TechRepublic: Ransomware: A cheat sheet for professionals

However, there is some evidence to suggest that the operators behind the scheme are being somewhat selective in their targets, with a general focus on countries which are "financially well-off."

The United States, Canada, Japan, and Australia are among those most commonly targeted.

However, the operators are not considered very sophisticated in their methods or tactics, and so spear phishing backed by social engineering or focused attacks on specific entities does not appear to be taking place.

It may only be conjecture, but Gagliardi suggested that it is possible that the botnet's infrastructure is being rented -- or partly sold -- to those responsible for the ransomware-based attacks.

See also: Woman pleads guilty to hacking police surveillance cameras

In order to mitigate the threat of infection, Gagliardi recommends that companies maintain proper security hygiene and maintain decent standards of security for endpoint devices.

"You shouldn't have a VNC server Internet-facing at all, but we see thousands of implementations all the time," Gagliardi. "These aren't super sophisticated actors and so if you can't stay on top of them, you probably have other security problems."

The worst cyberattacks undertaken by nation-state hackers

Previous and related coverage

Editorial standards