Phorphiex/Trik Botnet Campaign Packs a Strong Payload Punch

hands on a keyboard

This article was originally published on the AppRiver blog.

There are few botnets with the capability to send tremendous volumes and pack an infection chain as malicious as the Phorphiex Worm/Trik botnet this year.

For 2019, the Mealybug threat group has garnered the most media attention with Emotet attacks. However, the Phorpiex/Trik botnet is not to be easily outdone. AppRiver filters have captured more than 1.4 million directly attached malicious messages this year, with 847,947 of those messages arriving since April 4, 2019.

The infection chain for this attack packs a serious punch to unsuspecting users worldwide. It begins with a phishing email containing a zip file. Once the javascript file inside the zip has been launched it quickly loads the Phorphiex worm/trojan loader, Gandcrab ransomware, Ursnif ISFB (Gozi) banking trojan, and the CryptoNight XMRig cryptocurrency miner.

Phorphiex also known as Trik Botnet (SDBot Fork)

 The Phorphiex worm is a decade-old worm which historically spread via live chat (Windows Messenger / Skype) and USB storage drives. Most recently it made news due to a leaky server which revealed 43,555,741 unique email addresses spread across 4.6 million domains. Lately it has been tracked via the alternative name of Trik (SDBot Fork), but should not to be confused with the Trickbot banking trojan.

Trik uses IRC for it's command and control communication and contains the ability to download and run additional exectubles, brute force email credentials, and utilize infected systems to further propagate spam and malicious payloads.

The sample we inspected contained the ability to disable anti-virus and firewall protection by modifying the Windows registry values: AntiVirusOverride, UpdatesOverride, FirewallOverride, AntiVirusDisableNotify, UpdatesDisableNotify, AutoUpdateDisableNotify, & FirewallDisableNotify.

It also contains basic anti-analysis capabilities to determine if it's in a malware research environment. Methods include comparing running processes to known analysis tools, checking folder names, user names, using the FindWindow API, and checking for debugging via the IsDebuggerPresent function.

Trik Botnet Phishing Emails

The best thing going for users is that Trik spam emails are relatively simple to recognize. The sending addresses utilize a bogus name followed by two random numbers @ then four random numbers.com.

These names and numbers used for the spam emails are hardcoded lists into Trik and follow a basic structure. The subjects vary, however, for this campaign the body contains the same smiley emoji and attachment naming format of PIC#'s-JPG.zip.

Initial Payload (1.exe) - Gandcrab Ransomware v5.2

Gandcrab is the most widely distributed ransomware via email so far this year. The authors, known by some researchers as Pinchy Spider, continuously update it to help avoid anti-virus detection. It is a Ransomware-as-a-Service (RaaS) business model. Pinchy Spider takes a 60-70% cut from profits for actors who utilize the software.

New ransomware senders can also pay Pinchy Spider $100 for up to 200 victims during a two-month period. In addition, it's available to license for $1200. This allows more skilled attackers to utilize their own logo and update the code as needed to help avoid detection. Since many different actors use Gandcrab, demanded ransom amounts vary widely but have been documented anywhere from $250 to over $400,000.

Decryption software exists for many versions prior to 5.2 but there is no way to currently decrypt this version for free. Version 5.2 was likely released in response to the decryption tool becoming publicly available. 

Cryptojacking Payload (2.exe) - CryptoNight XMRig Miner 

Cryptojacking a machine is simply the unauthorized use of someone else's machine to mine cryptocurrency.  Chaining a cryptocurrency miner into an attack that already includes ransomware, and a banking trojan ensures profitability for the malicious actor.

Open source software XMRig allows mining for Monero cryptocurrency via CPU or GPU hardware. Bitcoin requires the more expensive GPU hardware to effectively mine the currency. However, the CryptoNight XMRig algorithm favors CPU's, malicious actors gain a higher monetary gain for successful attacks.

Captured JSON Login Communication - Sent to 92.63.197.153:7575

{"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"eeeb5d54-7880-42a7-b542-739bbc26cf4b","pass":"x","agent":"XMRig/2.13.1 (Windows NT 6.1; Win64; x64) libuv/1.20.3 gcc/8.2.0","algo":["cn/r","cn/wow","cn/2","cn/1","cn/0","cn/half","cn/xtl","cn/msr","cn/xao","cn/rto","cn/gpu","cn"]}}.

Banking Trojan Payload (4.exe) - Ursnif / Gozi ISFB

Ursnif / Gozi is one of the top global threats as a banking trojan with global distribution since 2007. The original Russian author, Nikita Kuzmin, was caught then court ordered $6.9 million in restitution along with serving 37 months in prison before being released under undisclosed terms.

Since then the Gozi source code has been leaked, improved, and new features added. The current version is now known as Ursnif / Gozi ISFB and is located on GitHub for anyone to utilize. The attacks we see most often (beside Trik campaigns) are the Dark Cloud botnet distributing it in the form of conversation hijacking attacks or fake resumes. However, many groups mobilize the trojan due to it's evasive capabilities for avoiding detection and analysis.

Major ISFB stealer functionalities:

  • Keylogging
  • Capturing Screen Shots & Video of activity being conducted on the system
  • Extracting browser cookie information preserving the structure directories
  • Retrieve Certificates stored in the Windows system store
  • Harvest email credentials
  • Use browser APIs to hook calls & serve up substitutions (phishing sites) of legitimate banking sites
  • Capture FTP Credentials

Indicators of Compromise (IOC):

Main object - "PIC074780520-JPG.js:"
sha256 5ef40d547de68ffbb7c265ae074b24ae34bffaaa4420d25fe7d9c70f81c952e8 
sha1 c4f7f94fe74dfe1ec1b9807806bc4cc87d1d487d 
md5 2d0df477069cba3cf75ec987a0e9270f

Dropped Executable File:
sha256 C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\619514.exe90d3580e187b631a9150bbb4a640b84c6fa990437febdc42f687cc7b3ce1deac 
sha256 C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K78MRVB5\1[1].exe22709d7884e71cdeb419e81453644edef69f8373a7a676c85c4d85f1ab67be46 
sha256 C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D2U1WPAC\2[1].exe1a26ce3b96b1ccd7af4c8d6f4de0e4b4320535b20895a295e1a96aa009843a71 
sha256 C:\Users\admin\AppData\Local\Temp\2482930933.exe60924e938260500bea6ca3a3475455bdea8ec70ad6df3358f2f867460061c535

DNS requests:
domain efhoahegue[.]ru 
domain afhoahegue[.]ru 
domain tfhoahegue[.]ru 
domain rfhoahegue[.]ru 
domain xfhoahegue[.]ru 
domain afhoahegue[.]su 
domain efhoahegue[.]su 
domain rfhoahegue[.]su 
domain tfhoahegue[.]su 
domain xfhoahegue[.]su 
domain resolver1.opendns[.]com 
domain 11totalzaelooop11[.]club 
domain www.kakaocorp[.]link 
domain myip.opendns[.]com 
domain adonis-medicine[.]at

Connections:
ip 92.63.197.153 
ip 208.67.222.222 
ip 188.254.179.205 
ip 107.173.49.208 
ip 192.35.177.64

HTTP/HTTPS Requests:
url http://adonis-medicine[.]at/images/QCnhd13eICD_2/FPJ2piPS/PS_2Bxev9vpAGP4MTx_2F5v/1dd3qTe_2F/hU3xzApMxcvBsHkWM/SXNfDncA7LDF/cVEdPbPh7A_/2BX1p7Me4FE5_2/BWTVpI8Ll3n3urrWJ2ccF/j207fj_2B1A7SCAa/mGyGbrlGM_2FGYg/BXvsEnZXARx0xFm_2F/r5ulwkYbj/sO_2FgZRsy6rhMRprx_2/BMLflLF.gif 
url http://92.63.197[.]153/s/4.exe 
url http://92.63.197[.]153/s/3.exe 
url http://adonis-medicine[.]at/images/Xpzysfts0_2Fc_2FVlnv/NVGgAHDEh1TFvW_2Byg/MmdXsFq9DvBELXouRNsWNb/6jOOxvSLBXkgr/br9sw7Ua/tnGUy90pkA4OkqPP8Eg5kHe/H32t42meYu/pqbX6lOVuidptuaA9/VqdUlN0_2BRK/3fteGZrDG0t/Bs8MrcyOvwh0Fb/wyJqwrzppTtLvuRjEuFmu/ziUfZmNLeqU7M_2B/wQKEgXFVauQB_2B/HSqc3.bmp 
url http://92.63.197[.]153/s/VNEW=1 
url http://92.63.197[.]153/good.exe 
url http://92.63.197[.]153/s/1.exe 
url http://92.63.197[.]153/s/2.exe 
url http://92.63.197[.]153/s/5.exe 
url http://www.kakaocorp[.]link/ 
url http://92.63.197[.]153/update.txt