In the Footsteps of a Sextortion Campaign

Research by: Gil Mansharov and Alexey Bukhteyev

Introduction

In its 2018 annual publication, the FBI IC3 (Internet Crime Complaint Center) reported a 242% rise in extortion emails, the majority of which are “sextortion”, with total losses of $83 million in reported crimes.

The idea behind sextortion is simple – an email demanding blackmail payment is sent to a victim, threatening to expose sexual video and private data related to the recipient if payment is not received. You may have received such emails or know others who have. Here’s another disturbing thought: is it possible that this morning you yourself unknowingly distributed 15,000 sextortion emails?

Check Point Research has exposed a botnet that does precisely that: it uses many thousands of infected computers to deliver millions of such threats to innocent recipients.
The Phorpiex (aka Trik) botnet has been active for almost a decade and currently operates more than 500,000 infected hosts. In the past, Phorpiex was monetized mostly by distributing other malware including GandCrab, Pony, Pushdo, and used its hosts to mine cryptocurrency. Recently, Phorpiex added a new form of revenue generation. In this report, we describe the spam bot used by Phorpiex to run large scale sextortion campaigns.

In the 5 month period that we have been monitoring this operation, we recorded transfers of more than 14 Bitcoins (BTC) to the Phorpiex campaign wallets whose current value is over $110,000. This may not sound like a lot, but for a low maintenance operation requiring only a large credentials list and the occasional wallet replacement, this generates $22,000 per month.

Sextortion E-mails

The Phorpiex/Trik botnet uses a spam bot that downloads a database of email addresses from a C&C server. An email address is then randomly selected from the downloaded database, and a message is composed from several hardcoded strings. The spam bot can produce a large number of spam emails – up to 30,000 per hour. Each individual spam campaign can affect up to 27 million potential victims.

The most interesting feature of the last spam campaigns is that the Phorpiex/Trik spam bot uses databases with leaked passwords in combination with email addresses. A victim’s password is usually included in the email message; this exacerbates the threat by showing that the password is known to the attacker. For further shock value, the message starts with a string that contains the password.

Here is an example of a sextorion email created by the Phorpiex spam bot:

From: Save Yourself
Subject: I recorded you – ██████

Hi, I know one of your passwords is: ██████

Your computer was infected with my private malware, your browser wasn’t updated / patched, in such case it’s enough to just visit some website where my iframe is placed to get automatically infected, if you want to find out more – Google: “Drive-by exploit”.
My malware gave me full access to all your accounts (see password above), full control over your computer and it also was possible to spy on you over your webcam.

I collected all your private data and I RECORDED YOU (through your webcam) SATISFYING YOURSELF!

After that I removed my malware to not leave any traces and this email(s) was sent from some hacked server.

I can publish the video of you and all your private data on the whole web, social networks, over email of all contacts.

But you can stop me and only I can help you out in this situation.

The only way to stop me, is to pay exactly 800$ in bitcoin (BTC).

It’s a very good offer, compared to all that horrible shit that will happen if I publish everything!

You can easily buy bitcoin here: www.paxful.com , www.coingate.com , www.coinbase.com , or check for bitcoin ATM near you, or Google for other exchanger.
You can send the bitcoin directly to my wallet, or create your own wallet first here: www.login.blockchain.com/en/#/signup/ , then receive and send to mine.

My bitcoin wallet is: 1Eim8U3kPgkTRNSFKN49jgz9Wv4A1qmcjR

Copy and paste my wallet, it’s (cAsE-sEnSEtiVE)

I give you 3 days time to pay.

As I got access to this email account, I will know if this email has already been read.
If you get this email multiple times, it’s to make sure that you read it, my mailer script is configured like this and after payment you can ignore it.

After receiving the payment, I will remove everything and you can life your live in peace like before.

Next time update your browser before browsing the web!

The spam bot is one of the final payloads in each of the Phorpiex campaigns observed in 2019. The Phorpiex spam bot doesn’t have its own persistence mechanism, as it is downloaded and executed by other Phorpiex modules. Here are some of URLs from which the spam bot was downloaded:

Table 1 – Phorpiex Spam Bot pre-infection URLs.

Technical Details

When it starts running, the spam bot performs several checks and initialization steps, similar to the rest of the Phropiex modules. First, to prevent running multiple instances, it tries to create a mutex with a specific name. This name is hardcoded in the sample, but each sample has a unique mutex name:

Figure 1: Spam bot mutex names.

If the mutex already exists, the spam bot stops running. Otherwise, it continues the initialization steps: the spam bot deletes the alternative file stream “:Zone.Identifier”, and adds a firewall exception by creating a new value under the registry key:

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List\

The Spam Bot adds the value “<path_to_spam_bot>:*:Enabled:<hardcoded_ name>” to this key. For example:

%TEMP%\28764.exe:*:Enabled: WDrvConfiguration

Finally, the Phorpiex spam bot queries the MX DNS entry of the domain “yahoo.com” or “aol.com” and tries to connect to its SMTP server at port 25. If the SMTP server is unreachable, it also stops running:

Figure 2: Checking if the Yahoo SMTP server is reachable.

Email Address Databases

The spam bot uses unencrypted HTTP communication with its C&C server. The following user-agent header, although it isn’t unique to the Phorpiex spam bot, is used for performing HTTP requests:

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0, and sends a GET HTTP request using the URL:
hxxp://<C&C Server>/<hardcoded path>/n.txt or hxxp://<C&C Server>/<hardcoded path>/p.txt

Example:

hxxp://193.32.161[.]69/111/n.txt

The response to this request contains a number N of email address databases stored on the C&C server. Follow-up requests are sent to download those databases, and save them under the %TEMP% directory with “.jpg” extensions.

In the infinite loop, the malware generates URLs with the following format:

hxxp://<C&C Server>/<hardcoded path>/<rand>.txt

The <rand> is a random integer between 1 and N.

The final URL of an email database to download looks like this:

hxxp://193.32.161[.]69/111/135.txt

The downloaded database is saved in the %temp% folder with a filename composed of random digits and the “.jpg” extension. For example:

%temp%\5173150314183010.jpg

The downloaded database is a text file which contains up to 20,000 email addresses. In various campaigns, we observed between 325 and 1363 email databases on a C&C server. Therefore, one spam campaign covers up to 27 million potential victims. Each line of this file contains an email address and a password delimited by “:”, as shown below:

[email protected]:secretpassword1
[email protected]:secretpassword2
[email protected]:secretpassword3
[email protected]:secretpassword4

The spam bot creates a total of 15,000 threads to send spam messages from one database. Each thread takes a random line from the downloaded file. The next database file is downloaded when all the spam threads finish. If we consider the delays, we can estimate that bot is able to send about 30,000 emails in an hour:

Figure 3: Creating threads for sending spam emails.

Distributing Spam

To send emails, the spam bot uses a simple implementation of the SMTP protocol. The address of the SMTP server is derived from the domain name of an email address. After establishing a connection to the SMTP server and receiving an invitation message, the spam bot sends a HELO/EHLO SMTP message with its own external IP address that it obtained using the icanhazip.com service.

The spam bot then tries to generate a valid random domain name with the following format:

“{4 random digits}.com”

The validity of the domain is checked using a DNS query. This leads to a large number of DNS requests being generated before contacting an SMTP server:

Figure 4: Large number of DNS requests produced by the Phorpiex spam bot.

If a domain was successfully resolved, it is used for the sender’s email address. The first part of the sender email (before “@”) is generated from a hardcoded word and 2 random digits. The sender’s host name, IP address, and a domain name of a fake SMTP server are also random values, as shown in the image below:

Figure 5: Example of the Phorpiex spam bot SMTP communication.

To set a subject field, the spam bot concatenates the username or password to randomly chosen strings (may vary from sample to sample):

Figure 6: Email subjects used by the Phorpiex spam bot.

Therefore, if we assume that [email protected] is the victim’s email address, the subject of the email could be “I recorded you – john_doe”.

Revenue

We saw how threat actors try to use the Phorpiex spam bot to extort money from random victims, but how successful is the campaign indeed?

Check Point Research monitored the campaign and the Bitcoin wallets extracted from every spam bot spotted since April 2019. We found that more than 14 BTC were transferred to those wallets:

Table 2 – BTC wallets used in the sextortion campaign.

Given the number of incoming transactions to these wallets, we can also estimate the total number of victims affected by this campaign. Therefore, we can conclude that approximately 150 victims paid the blackmail demand over the span of five months. Considering the number of emails that the spam bot is capable of generating, despite the low numbers of payments received, this still means this simple scam technique was successful.

On the other hand, passwords from leaked databases, such as those used in the sextortion campaign, are most often not related to victims’ email accounts. Therefore, the value of this data is quite low. Such databases are sold at a low price, or may even be freely accessible. The Phorpiex actors came up with a method of using such low quality data to earn a respectable amount of profit.

Conclusion

Leaked credential lists, containing passwords that are often not compatible with their linked email addresses, are a common and inexpensive commodity. Phorpiex, a veteran botnet, has found a way to use them to generate easy income on a long term basis. This new activity might be connected with the termination of Gandcrab, a ransomware that Phorpiex used to distribute, or just because plain text emails still manage to infiltrate many cyber defense lines. In any case, Phorpiex, which currently operates more than 500,000 infected hosts, is continuously propagating sextortion emails – by the millions.

IOCs

 

 

Check Point Anti-Bot blade provides protection against this threat:

Worm.Win32.Phorpiex.C

Worm.Win32.Phorpiex.D

Worm.Win32.Phorpiex.H