New Jersey’s Cybersecurity and Communications Integration Cell (NJCCIC) reported that since April, threat actors used the the Phorpiex botnet to send millions of phishing emails as part of a LockBit Black ransomware campaign.
The botnet has been active since at least 2016, it was involved in , crypto-jacking, cryptocurrency clipping (substituting the original wallet address saved in the clipboard with the attacker’s wallet address during a transaction) and ransomware attacks in the past
In August 2021 the criminal organization behind the have shut down their operations and put the source code of the bot for sale on a cybercrime forum in on a dark web.
In December 2021, experts at Check Point Research observed the resurgence of the Phorpiex botnet.
The new variant, dubbed “Twizt,” could operate without active C2 servers in peer-to-peer mode. Each of the infected computers can act as a server and send commands to other bots in a chain. Experts estimated that in one year it allowed to steal crypto assets worth of 500,000 dollars.
The emails sent in the April campaign contain ZIP attachments and were sent by the same addresses, “JennyBrown3422[@]gmail[.]com,” and “Jenny[@]gsd[.]com.”
The ZIP archives contain a compressed executable payload that, if executed, will start the encryption process with LockBit Black ransomware.
“Observed instances associated with this campaign were accompanied by the (Trik) botnet, which delivered the ransomware payload. Over 1,500 unique sending IP addresses were identified, many of which were geolocated to Kazakhstan, Uzbekistan, Iran, Russia, China, and other countries.” states the published by the NJCCIC. “Identified IPs hosting LockBit executables were 193[.]233[.]132[.]177 and 185[.]215[.]113[.]66. Subject lines included “your document” and “photo of you???”. All associated emails were blocked or quarantined.”
To defend against ransomware campaign like this one, NJCCIC provided the following recommendations:
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, Phorpiex botnet)