The Phorpiex botnet has been operating for years now. It first focused on distributing old-school worms that spread via infected USB drives or through chats that relied on the Internet Relay Chat (IRC) protocol. Over the years, it has evolved to include a host of malicious activities that ranged from extortion and spamming to data exfiltration, ransomware attacks, and most recently, sextortion.

For those unfamiliar with sextortion, it’s an attack where the bad guys threaten victims of distributing their private and sensitive materials if they don’t give the extortionists images of a sexual nature, sexual favors, or money.

To help study and possibly avoid this threat, we expanded a publicly available list of indicators of compromise (IoCs) so they can avoid accessing as many related web properties as possible.

What Is Known So Far

At the time of the analysis, a total of 1,279 IP addresses connected to Phorpiex bots had been publicized by IBM X-Force Exchange, though the list continues to grow. Here are other interesting facts:

• Phorpiex botnet activity spiked on 29 July 2021.
• Almost 85% of Phorpiex botnet spam are sent on weekdays at around 12 a.m.
• The actors behind the Phorpiex botnet extorted payments in the form of Bitcoins.
• The Phorpiex operators estimatedly earn between US$50,000—160,000 a day.

New Phorpiex Botnet Findings

While the botnet’s operators likely shut it down when its source code came up for sale in the Dark Web, should someone buy it given its profitability, users could still be in danger of getting preyed upon. That said, we expanded the list of IoCs to help them protect against the threat.

Running the 1,279 malicious IP addresses through a bulk reverse IP lookup provided us a list of 638 possibly connected domains that users should avoid accessing. Four of these (listed below) are dubbed malicious and should be blocked from networks:

• prtc[.]net
• as13285[.]net
• as13285[.]net
• ppl-clients[.]fr

Screenshot lookups for the four malicious domains showed that three were unreachable at the time of analysis (i.e., the last three domains). The first domain shows what seems to be a login page for a security application.

The remaining 634 may require monitoring in case they are used to distribute Phorpiex-related malware, especially given their connection to the malicious IP addresses in IBM’s list.

Subjecting the 638 domains to a bulk WHOIS lookup provided unmasked (i.e., not hidden behind privacy services) email addresses. These pointed to 16 unique email addresses (some were used for several domains) that users can add to their blocklists.

Using the 16 email addresses as search terms for reverse historical WHOIS lookups on Maltego gave us an additional one IP address and 178 domains. While none of them are currently detected as dangerous, given their ties to the registrants of the first set of domains (638 that resulted from the bulk reverse IP lookup), they may be worth monitoring at the least.

For users who would like to closely monitor the complete list of web properties (including the newly found artifacts), these facts may help with prioritization:

• Prioritize checking domains from these top 10 registrant countries for signs of malware connection:
  
  

  

• Prioritize checking IP addresses from these top 10 countries:
  
  

  

• Focus on domains that continue to host live websites aided by screenshot lookups. Examples include 0166[.]biz, 132-25[.]125[.]netwtelecom[.]com[.]br, and 138-97-64-58[.]westlink[.]net[.]br.
• Based on our bulk IP geolocation lookup, most of the malicious IP addresses point to mobile devices, as their Internet service providers (ISPs) were telecommunications companies.

We have seen the Phorpiex botnet survive for decades by moving with the tide (changing tools, tactics, and procedures [TTPs]) to ensure attack success. And even if its makers or original operators seem to be retiring, their departure from the scene may still not mean the botnet is dead.

Don’t hesitate to contact us if you wish to obtain a copy of the complete list of additional Phorpiex Botnet Extortion artifacts we found or to discuss potential security research collaborations.