LockBit Black Evolves: Phorpiex Botnet Becomes Ransomware Weapon

Since April of this year, millions of phishing emails have been sent through the Phorpiex botnet as part of a large-scale campaign employing LockBit Black ransomware. This warning comes from the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC).

The attackers typically send emails with subjects like “your document” and “photo of you???” from aliases such as “Jenny Brown” or “Jenny Green.” These emails contain ZIP archives with executable files which, when opened, install LockBit Black on the recipient’s systems, encrypting all their data.

LockBit Black, used in this attack, is likely based on LockBit 3.0, which leaked online in September 2022. However, the current campaign is not associated with the original LockBit group.

The emails are sent from more than 1,500 unique IP addresses worldwide, including Kazakhstan, Uzbekistan, Iran, Russia, and China.

The attack begins when the recipient opens the malicious ZIP archive and executes the file inside. This file downloads LockBit Black from the Phorpiex botnet’s infrastructure and runs it on the victim’s system. The ransomware steals sensitive data, terminates certain system services, and encrypts files.

Proofpoint, a company investigating these attacks since April 24, reported that the attackers are targeting companies across various industries worldwide. Despite the operation’s simplicity, its scale and the use of ransomware as the initial payload distinguish this malicious campaign.

“Beginning April 24, 2024 and continuing daily for about a week, Proofpoint observed high-volume campaigns with millions of messages facilitated by the Phorpiex botnet and delivering LockBit Black ransomware,” Proofpoint researchers stated. “This is the first time Proofpoint researchers have observed samples of LockBit Black ransomware (aka LockBit 3.0) being delivered via Phorpiex in such high volumes.”

The Phorpiex botnet, also known as Trik, has been active for over a decade. Initially, it was a worm spreading through USB devices, Skype chats, and Windows Live Messenger, later evolving into a trojan controlled via IRC and spreading spam.

Over time, the botnet expanded significantly, controlling over a million infected devices. However, its infrastructure was eventually taken down, and the project’s source code was put up for sale. One of the botnet’s authors cited a shift in the developers’ interests, leading to their disinterest in maintaining and developing Phorpiex.

Previously, the Phorpiex botnet was also used to send millions of emails with threats and spam, as well as to deploy a malicious module that replaced cryptocurrency addresses in Windows’ clipboard with addresses controlled by the attackers.

To protect against phishing attacks, the NJCCIC recommends employing risk mitigation strategies, endpoint protection solutions, and email filtering.