In one of our Threat Hunting Content blog posts, we already observed a rule to detect Avaddon ransomware, a new Ransomware-as-a-Service variant that was first spotted in early June. One of the most active distributors of Avaddon ransomware is Phorpiex botnet, which recently recovered from losses incurred earlier this year. Infected systems can send tens of thousands of emails per hour, and at the end of 2019, the number of such systems was close to half a million.
Phorpiex botnet, also known as Trik, has been active for more than a decade, and over the past couple of years, the botnet was ‘out of operations’ twice for a long time due to security breaches. Last time, this winter, someone hijacked the backend infrastructure of the botnet and uninstalled the spam-bot malware from a part of infected hosts, while also showing a popup window telling victims to install an antivirus and update their systems. Despite this, cybercriminals once again restored its efficiency and started to conduct mass-spam campaigns spreading Avaddon ransomware. In the past, the botnet has repeatedly used its powers in sextortion campaigns, to deliver GandCrab ransomware, Pushdo trojan, and to mine cryptocurrency on the infected hosts (some of these mass-mailed waves peaked at 27 million emails per campaign). New threat hunting Sigma rule submitted by Osman Demir enables security solutions to uncover installation of recently discovered Phorpiex botnet samples: https://tdm.socprime.com/tdm/info/3MbqhCMu2lQ7/SsQ7OHMBPeJ4_8xc3syx/?p=1
The rule has translations for the following platforms:
SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio
EDR: Carbon Black, Elastic Endpoint
Tactics: Initial Access
Technique: Spearphishing Attachment (T1193)