Phorpiex Botnet Distributes LockBit Ransomware Through Compromised Websites

Cybereason Security Services has published a comprehensive threat analysis highlighting the resurgence of the Phorpiex botnet, which is being leveraged to deploy LockBit Black Ransomware (also known as LockBit 3.0).

This report sheds light on the botnet’s technical evolution and its role in advancing ransomware operations.

Automated Deployment of LockBit Ransomware

Unlike traditional ransomware attacks where human operators are directly involved, the attackers behind this campaign employed Phorpiex to automate the delivery and execution of LockBit ransomware.

This approach underscores the sophistication and efficiency of utilizing botnets for ransomware distribution.

Phorpiex’s variant delivered LockBit ransomware without expanding the infection laterally within the victim’s network, signaling a shift from the typical strategy of maximizing impact by encrypting multiple systems.

The report reveals that Phorpiex, also known as “Trik,” has maintained its core structure despite being sold in 2021.

The malware still attempts to delete Zone.Identifier metadata files, a tactic consistent across different Phorpiex variants.

This minimal evolution in code design aligns with its sustained role in delivering various malicious payloads over the years.

Technical Connection Between Phorpiex and LockBit

Phorpiex, which has historically been used for spam campaigns and cryptocurrency mining, has now become an effective vector for distributing LockBit ransomware.

LockBit, operational since 2019, is a high-profile Ransomware-as-a-Service (RaaS) group, infamous for its rapid encryption mechanism, double extortion strategies, and targeting of high-value industries ranging from defense to logistics.

Phorpiex’s widespread reach and modular functionality make it an attractive tool for deploying LockBit efficiently. O

perators behind LockBit have strategically incorporated Phorpiex into their ecosystem of tools to maximize profitability while evading detection.

The infection process begins with phishing emails sent from compromised domains such as “gsd[.]com.” These emails contain ZIP files with either a LockBit downloader (.SCR) or TWIZT downloader (.LNK).

Upon execution, these files establish connections with command-and-control (C2) servers, download the ransomware payload, and execute additional obfuscation techniques.

For example, the LockBit variant uses anti-analysis mechanisms like library obfuscation and URL cache deletion to ensure stealth.

TWIZT downloader, associated with Phorpiex, relies on unique infection checks such as verifying the presence of specific JPEG files to identify newly infected hosts.

It also employs mutex creation and registry manipulation for persistence.

The resurgence of Phorpiex as a delivery mechanism for LockBit ransomware highlights the evolving tactics employed by cybercriminals.

As the threat landscape intensifies, organizations must adopt proactive measures to defend against such layered and automated attacks.

The Cybereason report emphasizes the urgent need for organizations to fortify their defenses against botnet-driven ransomware campaigns.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free