Phorpiex botnet used in sextortion email spam campaign

After 10 years, Phorpiex botnet is still active

Phorpiex botnet has changed its course from malware distribution to the delivery of sextortion scams

After being active for around 10 years, Phorpiex (aka Trik) botnet has recently been delivering millions of sextortion messages to random users via email spam campaigns. Check Point researchers found that this botnet is now running over 450,000 affected hosts.

Previously, Phorpiex had been used in spreading notorious malware, such as GandCrab, Pushdo, Pony,^[1] and acting as a cryptominer. However, experts have recently discovered that Phorpiex authors have switched their operations to scamming users via sextortion email. Regarding the five-month investigation, it was discovered that the botnet has collected around 14 BTC what is equal to over $110K:^[2]

In the 5 month period that we have been monitoring this operation, we recorded transfers of more than 14 Bitcoins (BTC) to the Phorpiex campaign wallets whose current value is over $110,000. This may not sound like a lot, but for a low maintenance operation requiring only a large credentials list and the occasional wallet replacement, this generates $22,000 per month.

The malware sends around 30K sextortion emails in one hour

According to researchers, Phorpiex botnet employs a Command-and-Control server for receiving a list of randomly-picked emails. Afterward, the malware accidentally chooses any type of email address and sends a properly-coded email. The number of produced email messages is surprising – the bot is known to be capable of delivering around 30K emails in a one hour time period and is able to affect 27 million people during every spam campaign.^[3]

The secret in Phorpiex botnet lies in its ability to add the password of the alleged breached account to each scam message. Once the victim opens a scam message, he/she spots the password added as a top line of the email letter. The leaked password is probably added to the email in order to convince people that this matter is truly dangerous and encourage them to pay the money, for example, $800 in BTC.

However, the gathered passwords might not truly be related to the victim's email account as crooks are relying on various databases that were compromised in the past and leaked passwords that can be from any other type of online source. The password is not necessarily the same as the current email password. At the time of writing, around 150 victims have already paid the demanded ransom to the crooks.

Sextortion scammers have been using names of infamous criminals or delivering dangerous malware in the past

Numerous cybercriminals have been relying on fake messages that include big ransom demands and threaten users of revealing personal content. A newly released campaign, named Jeanson J. Ancheta email scam, is urging for $650 to be paid in 36 hours. Otherwise, the hackers threaten to release a private video recorded with the help of the user's front camera.^[4] The sender of this scam message pretends to be Jeanson James Ancheta – an infamous hacker that was sentenced for 5 years of prison in 2006 for occupying a wide network of hijacked botnets.

Even though sextortion scams naturally aim to swindle money from unaware people, some of them have been found distributing malware. at the end of 2018, sextortion messages were targeting people not only for money but also for installing the AZORult Trojan virus that carried GandCrab ransomware. The virus is known for targeting worldwide businesses by encrypting files and demanding ransoms.^[5]