The Phorpiex malware botnet has been on the internet for years and is used by attackers to deliver ransomware and spam email.
In the past, the botnet delivered old-fashioned worms that propagated via removable USB drives and instant messaging apps.
Through the years, it acquired new infrastructure, has become more resilient, and started to deliver more dangerous payloads. The botnet has expanded to other targets, its recent activity shows a shift to more global distribution, according to a report by Microsoft.
In November 2020, Security firm Check Point observed Phorpiex distributing Avaddon, a then-new ransomware-as-a-service operation.
“Phorpiex is one of the oldest and most persistent botnets, and has been used by its creators for many years to distribute other malware payloads such as GandCrab and Avaddon ransomware, or for sextortion scams,” Check Point malware analysts noted.
Microsoft decided to take a closer look at the Phorpiex bot when it found out that the bot disables Microsoft Defender antivirus to maintain persistence.
“This includes modifying registry keys to disable firewall and antivirus popups or functionality, overriding proxy and browser settings, setting the loader and executables to run at startup, and adding these executables to the authorized application lists,” Microsoft noted in a blog post.
Microsoft advises enterprise customers to enable tamper protection in Microsoft Defender for Endpoint, Microsoft’s cloud-based advanced security feature, to revert changes made by the bot.
Check Point reported that in January Phorpiex was the second-largest botnet after Emotet botnet, which was abolished in April.
Microsoft observed the botnet in 160 countries with the densest occurrence in Mexico (8.5%), followed by Kazakhstan (7.8%), and Uzbekistan (7.3%). The US accounted only for 2.8%.
“The combination of the wide variety of infection vectors and outcomes makes the Phorpiex botnet appear chaotic at first glance. However, for many years Phorpiex has maintained a consistent internal infrastructure using similar domains, command-and-control (C2) mechanisms, and source code,” Microsoft researchers noted.
Unlike the bot, Phorpiex operators’ spam campaigns targeted multiple regions:
“We observed Phorpiex operators requiring payment primarily through Bitcoin and Dash. Examples of one such cryptocurrency profit volume from a campaign in late February 2021 targeting English speaking users is below, with the subject ‘Payment from your account’,” says Microsoft.
The group made $13,000 in just 10 days, according to Microsoft.