CheckPoint: The spam bot used by Phorpiex to run large scale sextortion campaigns

The network security company CheckPoint released a report analyzing a botnet named Phorpiex. The botnet contains over 500,000 infected computers and is a medium-sized botnet. It is understood that the Phorpiex botnet has appeared more than a decade ago. “In the past, Phorpiex was monetized mostly by distributing other malware including GandCrab, Pony, Pushdo, and used its hosts to mine cryptocurrency.”

After the botnet was quite large, the virus began to use the infected device to send ransomware. In the mail, the Phorpiex manipulator would claim to have received pornographic pictures or videos of the victim and blackmailed. “The Phorpiex/Trik botnet uses a spam bot that downloads a database of email addresses from a C&C server. An email address is then randomly selected from the downloaded database, and a message is composed from several hardcoded strings.”

At its peak, the botnet sent out 27 million fraudulent emails in a few days, and some infected devices sent an average of 30,000 scams per hour. These fraudulent emails can bring in $115,000 in income to criminals within five months.