Phorpiex Breakdown

Research by: Alexey Bukhteyev

Introduction

We recently wrote about the massive “sextortion” spam campaign carried out by the Phorpiex botnet. However, this is only a small part of this botnet’s malicious activity. Capable of acting like both a computer worm and a file virus, Phorpiex is spread through exploit kits and with the help of other malware and has infected more than 1,000,000 Windows computers to date. By our assessment, the annual criminal revenue generated by Phorpiex botnet is approximately half a million US dollars.
Of course, to maintain such a large botnet, a reliable command and control (C&C) infrastructure is required. For malware with a small outreach, or if infected computers are not part of a single botnet, virtual private servers (VPS) are most often used. VPS hosting services can be purchased from legitimate companies. Many VPS hosting providers don’t require identity verification, and the services can be paid for anonymously.
However, in the case of the Phorpiex botnet, a public VPS is not suitable. First of all, the C&C server for such a botnet would immediately attract attention with a large amount of malicious traffic: several million requests per day from more than 100,000 unique IP addresses are sent to the Phorpiex C&C servers. By our assessment, the monthly volume of the botnet’s C&C traffic may exceed 70 TB. Therefore, Phorpiex doesn’t use public VPS hosting services. Instead, it uses dedicated IP subnets registered to figureheads.

Botnet Architecture

Initially, the Phorpiex has been known as a botnet operated using IRC protocol (also known as Trik). However, recent Phorpiex campaigns have switched to modular architecture and got rid of IRC communication. We barely saw any of its IRC C&C servers online in 2019. However, our sinkholes still indicate many thousands of hosts infected with Trik. When we did spot IRC C&C servers online, we managed to capture a command for loading another malware to the infected machines:

 

Figure 1 – Trik C&C communication dump with the decrypted URL.

 

We assume that this malware, self-named Tldr (probably stands for “TrikLoader”), has currently become the core part of the Phorpiex botnet. Tldr is a downloader that uses HTTP protocol for communication with C&C servers. Its main purpose is to load another malware on the infected machines. Some Tldr samples have the functionality of a computer worm and can spread through removable drives. We also observed variants of the malware that act like a file virus infecting other software.
If necessary, malware actors can extend the functionality of the botnet by loading additional modules. The image below shows the infection flow and modular architecture of the current botnet.

 

Figure 2 – Phorpiex infection flow and architecture.

 

The purpose of Tldr, and modules such as the VNC Worm and the NetBIOS Worm, is to distribute the botnet as much as possible. The final goal of the Phorpiex operators is to gain profit, generally in crypto-currency.
The main ways the botnet is monetized:
– Sextortion spam.
– Crypto-jacking.
– Crypto-currency clipping.
– Providing services for loading other malware (Raccoon stealer, Predator The Thief), distributing ransomware.

Currently, the Phorpiex botnet doesn’t load ransomware. After the termination of the GandCrab ransomware, the Phorpiex botnet completely switched to sending sextortion spam emails from the infected computers and loading data stealers there.
We should emphasize that almost all samples of Trik and Tldr include crypto-clipper functionality. Addresses of all crypto wallets consist of a long combination of digits and letters. The only way to transfer crypto-currency without additional devices is to copy the address to the clipboard and then insert it in a corresponding field in a wallet application. The malware alters crypto wallet addresses in a clipboard, and the money is transferred to the wallet that belongs to the malware operators. Crypto-clipper functionality allows malware operators to gain profits without any additional effort, even when C&C servers are offline. Bitcoin wallets used in both Trik and Tldr configurations continue to receive stolen Bitcoins and have collected more than 17 BTC so far.
Botnet capacity assessment
Phorpiex bots continuously scan domain names and IP addresses extracted from the configuration. Even if a valid C&C server responds, the malware continues to query other hosts. Therefore, after registering domains from different Tldr configurations, we started to receive a large number of connections from Phorpiex bots. This allowed us to assess the prevalence of the botnet.
During the past two months, we registered connections from more than 1,000,000 unique hosts. At any given time, an average of 15,000 bots is online, and up to 100,000 bots are active daily.

 

Figure 3 – Number of bots online hourly.

 

The botnet hosts are primarily located in Asia. The most significant parts of the botnet are located in India, China, Thailand, and Pakistan. There are also bots present in the US, Mexico, and many African countries. Europe is almost unaffected by the botnet.

 

Figure 4 – Phorpiex botnet global locations.

 

C&C Infrastructure

All Phorpiex modules use a hard-coded list of IP addresses and domain names for C&C communication. While most malware implements DGA, using hard-coded domain names doesn’t impair the survival of the Phorpiex bots. We suppose the list of domain names is used as a precaution, to be able to regain control of the bots in case of the loss of C&C servers accessed by the IP address. The list of domain names is updated periodically. While monitoring the Phorpiex campaign during 2019, we discovered more than 4,000 different samples of Tldr, with approximately 300 configurations and 3297 domain names and IP addresses.
Tldr uses the same C&C servers that were used by the Trik IRC bot:

 

Figure 5 – Phorpiex C&C infrastructure.

 

Currently, the most active IP used by the botnet for its C&C servers is 185.176.27.132 and addresses from the subnet 92.63.197.0/24.
We found that the subnet 92.63.197.0/24, which hosts a lot of Phorpiex C&C servers, was also observed in other threats like Smoke Loader and Necurs, and used for sending phishing and spam emails, and for port scanning.

One more interesting fact regarding this subnet is that it is registered to an individual entrepreneur in the Ukraine:

 

org-name: FOP HORBAN VITALII Anatoliyovich
org-type: OTHER
address: 62408, KHARKIV REGION, ELITE village, SCHOOL str. 25, AP. 26
e-mail: [email protected]

 

We found the registration data for an individual entrepreneur called “FOP HORBAN VITALII Anatoliyovich.” His main activity is in food retail:

 

Figure 6 – Screenshot from the Directory of Companies of the Ukraine.

 

Therefore, we think “FOP HORBAN VITALII Anatoliyovich” is just a figurehead.
Almost the same situation appears if we search for data about another IP address used by the Phorpiex C&C server – 185.176.27.132:

 

org-name: IP Dunaev Yuriy Vyacheslavovich
org-type: OTHER
address: 420132, Kazan, Chuikova str, 69
e-mail: [email protected]

 

Dunaev Yuriy Vyacheslavovich is also an individual entrepreneur from Russia (Republic Tatarstan) whose main activity is transport services. As in the previous case, the activity of the entrepreneur is not related to the Internet or IT in any way.
Packets to this network are routed through Telehouse ISP, which is physically located in Bulgaria:

 

9 50 ms 49 ms 49 ms as50360.peer.telehouse.bg [178.132.83.102]
10 46 ms 46 ms 46 ms 192.168.244.2
11 51 ms 50 ms 50 ms 185.176.27.9
12 50 ms 46 ms 50 ms 185.176.27.132

 

Perhaps, what we are witnessing is cooperation between Phorpiex and another cybercrime group that obtains IP subnets from RIPE and provides services for hosting malicious C&C infrastructure.

Crypto-jacking campaign

Cryptojacking is the unauthorized use of someone else’s computer to mine cryptocurrency. One of the final payloads loaded to Phorpiex-controlled computers is XMRig mining software. The reward for crypto-currency mining using XMRig is paid in Monero (XMR). The Phorpiex XMRRig miner comes with the configuration embedded in the sample. It uses Phorpiex C&C servers as mining pools:

Table 1 – Phorpiex C&C servers and XMRig mining pools.

In addition, we found XMR addresses for Phorpiex XMRig samples and found that they are the same as those used in the “sextortion” campaign. The wallets are stored in integrated format. This means that the address also contains the Payment ID. The Payment ID is usually used to identify transactions to merchants and exchanges. Given the intrinsic privacy features built into Monero, where a single public address is usually used for incoming transactions, the Payment ID is especially useful to tie incoming payments with user accounts. The XMR addresses extracted from the Phorpiex XMRig samples and used in sextortion campaigns differ only by the Payment ID:

 

Table 2 – Phorpiex Monero wallets noticed in XMRig samples and sextortion campaign.

 

These facts leave no doubt that the Phorpiex botnet owners receive all the profit from mining.
Unfortunately for us, due to its privacy features, the Monero blockchain doesn’t allow us to track transactions and view an individual’s balance. However, we can estimate the profitability of the crypto-jacking campaign using the results of the botnet capacity assessment, the Monero mining profitability calculator, and other Monero benchmarks. Assuming that the average Phorpiex victim doesn’t have top-level hardware, the basis of our calculation was a low hash rate of 100 H/s which corresponds to INTEL I5-6500T CPU. At any given time, an average of 15,000 bots is online. Therefore, the total Monero mining hash rate provided by Phorpiex botnet is 1.5 MH/s. Of course, Phorpiex actors don’t pay for the electricity and pool fee as regular miners do, so we assume those values are equal to 0:

 

Figure 7 – Monero mining profitability calculation.

 

Therefore, by our assessment, the Phorpiex botnet must generate at least 3,122 XMR per year which currently is equivalent to about 21 Bitcoins (BTC) or $ 180,000.

Crypto-clipping campaign

We first saw transactions to the wallets observed in the Trik configuration in August 2016. This may be the time when crypto-clipping functionality was first added to Trik. Malware creators started their operations stealing Bitcoin only. In Tldr, they added support for a large number of virtual assets including Ethereum, Litecoin and even Perfectmoney.
Unlike Monero, the Bitcoin and Ethereum blockchains allow us to monitor all transactions. Therefore, we are able to assess how effective a particular crypto-clipping campaign is. We collected a large number of Trik and Tldr samples and the Bitcoin wallets extracted from them.
Bitcoin wallets extracted from Trik configurations received a total of more than 11 BTC in 376 transactions:

 

Table 3 – Phorpiex Trik crypto-clipper BTC wallets.

 

As we can see from the table, despite the fact that Trik bots don’t receive updates and the C&C servers are offline, some wallets still continue to gain Bitcoins.
The table below contains Bitcoin wallets extracted from Tldr configurations:

 

Table 4 – Phorpiex Tldr crypto-clipper BTC wallets.

 

Therefore, in the 3 year period, crypto-clipping campaigns allowed the malware operators to steal more than 17 BTC in 875 transactions, or about 5.6 BTC annually.
Ethereum crypto-currency wallets extracted from Trik and Tldr samples gained much less than Bitcoin wallets:

 

Table 5 – Phorpiex crypto-clipper ETH wallets

 

There are only 51 transactions, with a total amount of about 17 ETH, whose current value is much less than Bitcoin. However, those wallets are interesting to us for another reason. Services like etherescan.io can show if an Ethereum address belongs to a particular exchange or service. For the addresses from the table, all ETH are transferred to the address of the Cryptonator service:

 

Figure 8 – Ethereum transactions from the Phorpiex ETH address.

 

Therefore, we can conclude that the Ethereum addresses used in the crypto-clipping campaign are created in a Cryptonator wallet. Cryptonator requires a valid email address for registration and confirmation for each new IP address and device by email. We think that the access logs of the Cryptonator service may store the real IP addresses of the Phorpiex actors.
Another interesting fact is that some of the Ethereum wallets have collected a large number of ERC-20 tokens:

 

Figure 9 – Ethereum ERC-20 tokens transactions to the Phorpiex ETH address.

 

However, the tokens can’t be withdrawn from the wallets because Cryptonator doesn’t support tokens based on the Ethereum blockchain. Most likely, this wasn’t taken into account by the malware actors. Therefore, token transfers from victims are simply blackholed.
Comparison to the sextortion campaign
We’ve been observing the Phorpiex sextortion campaign for about half a year. During this period, we recorded transfers of more than 14 Bitcoins [update the numbers before publication] to the Phorpiex wallets related to this campaign. If the trend continues, the annual revenue of the sextortion campaign would be 28 Bitcoins.

 

Figure 10 – Comparison of the Phorpiex earnings from different malicious activities.

 

Sextortion appears to be a more profitable venture than crypto-currency clipping or mining using the botnet’s computing power. However, those malicious activities complement each other, generating about 54.6 Bitcoins annually, which is currently about $500,000.

 

Conclusion

We inspected some of Darknet advertisements that provide prices for malware installation services. Usually infection services prices vary from $100 to $1000 per 1000 infections, depending on the victims’ location. Phorpiex bots are mostly located in Asia – the region in which malware installation services are the cheapest. Therefore, to purchase malware infection services on the Darknet, the owners of the Phropiex botnet would pay about $100,000. However, in addition to purchasing infections through side services like the RIG exploit kit or the Smokeloader botnet, Phropiex also uses its own distribution techniques: the VNC worm module, NetBIOS worm module, and file virus functionality. But even with these costs, as we can see, the creation of such a botnet appears to be very profitable.
The tools used by Phorpiex are not too sophisticated. Obviously, not much time was spent on their development. This case shows us that such a massive botnet can be created by cybercriminals without a deep knowledge of system programming, cryptography, etc.
The ecosystem that currently exists in the Darknet makes it easy enough to implement almost any idea for cybercrime.

IOC

Check Point Anti-Bot blade provides protection against this threat:
Worm.Win32.Phorpiex.C
Worm.Win32.Phorpiex.D
Worm.Win32.Phorpiex.H