Detection Content: Phorpiex Trojan

In one of our Threat Hunting Content blog posts, we already observed a rule to detect Avaddon ransomware, a new Ransomware-as-a-Service variant that was first spotted in early June. One of the most active distributors of Avaddon ransomware is Phorpiex botnet, which recently recovered from losses incurred earlier this year. Infected systems can send tens of thousands of emails per hour, and at the end of 2019, the number of such systems was close to half a million.

Phorpiex botnet, also known as Trik, has been active for more than a decade, and over the past couple of years, the botnet was ‘out of operations’ twice for a long time due to security breaches. Last time, this winter, someone hijacked the backend infrastructure of the botnet and uninstalled the spam-bot malware from a part of infected hosts, while also showing a popup window telling victims to install an antivirus and update their systems. Despite this, cybercriminals once again restored its efficiency and started to conduct mass-spam campaigns spreading Avaddon ransomware. In the past, the botnet has repeatedly used its powers in sextortion campaigns, to deliver GandCrab ransomware, Pushdo trojan, and to mine cryptocurrency on the infected hosts (some of these mass-mailed waves peaked at 27 million emails per campaign). New threat hunting Sigma rule submitted by Osman Demir enables security solutions to uncover installation of recently discovered Phorpiex botnet samples: https://tdm.socprime.com/tdm/info/3MbqhCMu2lQ7/SsQ7OHMBPeJ4_8xc3syx/?p=1

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio

EDR: Carbon Black, Elastic Endpoint

MITRE ATT&CK:

Tactics: Initial Access

Technique: Spearphishing Attachment (T1193)

Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.