Introduction
After analyzing the on-going GandCrab email distribution campaign, we at InQuest Labs decided to look further into the emails themselves and exactly how this malware is being propagated. Taking a second look at one of the payloads from our last analysis we found that the Phorpiex malware family acts as an email spreader for sending phishing emails with attachments. Immediately this jumped out at us as the culprit that is very likely the malware causing so much havoc across Internet mailboxes these past weeks.
By taking a closer look at the malware named in a previous blog post as “Trik” or Trik.pdb”, we have now identified this as the malware family Phorpiex. Due to the families email spreader capability and unique strings found in the malware, it is highly likely to be responsible for the distribution of the GandCrab phishing campaigns we’ve seen in-the-wild over the past several weeks to months.
Phorpiex as a malware family has been around for several years and hasn’t changed much in purpose, functionality, or code from the older samples we discovered. The primary goal is Phorpiex is to spread emails, either with or without attached files and attempt to brute force SMTP credentials. These actions are triggered by commands sent to the infected host using a built-in IRC bot, which connects to a hard-coded Command and Control server. The malware itself is not incredibly advanced, has minimal evasion techniques, is often not packed during delivery, and is not very subtle when it comes to dropping files on disk or using hard-coded strings where more advanced malware families would be using randomized characters.
Some more recent campaigns have also seen Phorpiex being used to distribute the Pony and Pushdo malware families, though with available data GandCrab appears to be the front-runner in recent months.
Family History
While all of our analyzed samples had the following PDB string:
C:UsersxDesktopHomeCodeTrik v6.0 - WORK - docReleaseTrik.pdb
Searching VirusTotal Intelligence for the “Trik.pdb” string reveals a significant number of samples that use the same file path with other version numbers in the Trik file path string. Some of oldest samples dating back roughly 5 years. While we are not analyzing these samples here, it is highly likely these are variants of this malware developed by the same author, and due to the frequency these samples have been uploaded to VirusTotal recently, are likely being used in another active campaign or are merely old samples that are now finally making the rounds into VirusTotal.
Some of the other older versions we found included “Trik v5.0” and “Trik v3.0”. Even though the version numbers are different in these samples, the functionality and core purpose remain mostly the same.
Initial Execution
Upon execution, Phorpiex creates a copy of itself using the filename “winsvc.exe” into one of three separate directories. Other payload file names seen include “winmgr.exe”. The directory is chosen by iterating over the list of options and the first one that exists, and it can write to, the payload is dropped there. The options are as follows:
C:WindowsC:Users$USERNAME%TEMP%C:Users$USERNAME
The payload also employs some minor evasion and anti-analysis techniques. For example, if any of the following processes are found running, the payload terminates its process:
tcpview.exeprocmon.exenetstat.exewireshark.exe
Also, checks are performed to see if the sample is running within a sandbox or being debugged by checking the usual “IsDebuggerPresent”, and also looking for the existence of QEMU, VirtualBox, VMWare, and SandBoxie by looking for DLL names and running processes associated with these virtualization platforms. Once these checks have been passed or instead bypassed if you are debugging and patching the binary, it continues down its installation path.
Within the chosen directory explained above, a new sub-directory is created to house to payload copy. The sub-directory name is hardcoded as M-5050502652865804205. This value is likely to change in separate batches of samples, but it appears always to be prefixed by the letter “M” and followed by a - character and 19 digits.
If this is the payloads first run, it adds itself to the Windows registry in to persist upon reboot at the following location:
- Location:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun - Key:
Microsoft Windows Service - Value:
$FILEPATHwinsvc.exe
A mutex is also created but the exact string seems to vary from sample to sample.
Command & Control
The samples we analyzed used a hard-coded C&C server of 185.189.58[.]222. This is the same server seen in our previous analysis of this GandCrab campaign, and we can see the C&C server is still active in more recent samples captured in the wild.
Many other researchers, blacklist services, online sandboxes and scanners, and security vendors have also recently noted the use of this specific Command & Control server in relation to GandCrab and Phorpiex, making it clear that our discovery was indeed not an isolated case and that this malware pairing campaign has wide-spread implications for users.
The Phorpiex family uses an embedded IRC bot to communicate with this Command and Control server on TCP port 5050. The IRC bot username is created within the format of |<3 character Country Code>|[a-z]{3}. Once the bot joins the server, it will receive an instruction to join a specific channel. In the samples analyzed this channel was either “#QC” or “#SMTP”, although the channel names and servers likely rotate often on a per campaign basis. Here the bot then receives commands from the botnet administrators to begin sending on phishing emails or brute forcing SMTP email addresses depending on which command is received.
The bot can also be told to download and execute an arbitrary payload from a URL, instead of spreading it via phishing emails.
The SMTP brute-forcing function can be stopped by the infected host receiving the “b.off” IRC command, while the email spreading function can be stopped by receiving the “m.off” IRC command. Also, the command “rmrf” will completely remove the Phorpiex payload from the Windows Registry and its installed directories.
Outside of IRC command and control, when HTTP requests are made to the same C&C Host or one of the decoded URLs the following HTTP User-Agent has been seen in use:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
The existence of this specific user-agent seen in HTTP traffic to the IP address listed above, or when downloading Windows executable files, is a high confidence Indicator of Compromise, and the affected system should be investigated immediately.
SMTP Brute Force
Phorpiex can receive an IRC command which causes the infected host to brute force SMTP accounts from a provided list of mail servers which is received from the C&C server. Once started, the brute force functionality will attempt to use each combination of the following username and passwords, shown in the table below, for login attempts against the SMTP servers:
| Username/Passwords | Usernames/Passwords |
|---|---|
| test | guest1 |
| test1 | guest123 |
| test123 | testing |
| info | upload |
| admin | tester |
| webmaster | testuser1 |
| postmaster | 12345 |
| contact | 123456 |
| 12345 | 1234567 |
| 123456 | 12345678 |
| 1234567 | 123456789 |
| 12345678 | 1234567890 |
| 123123 | 123123 |
| test | admin |
| test1 | admin1 |
| test123 | admin123 |
| test1234 | admin1234 |
| info | administrator |
| admin | ftpadmin |
| admin1 | ftpuser |
| Password1 | guest1 |
| password | guest123 |
| 1q2w3e | Password1 |
| 1q2w3e4r | passw0rd |
| q1w2e3r4 | password |
| postmaster | password1 |
| admin | q1w2e3r4 |
| administrator | q1w2e3r4t5 |
| test | qwerty |
| test1 | qwerty123 |
| test123 | temp |
| user | temp123 |
| testuser | test |
| info | test1 |
| ftpuser | test123 |
| ftpadmin | test1234 |
| support | testing |
| backup | upload |
| guest | abc123 |
| 123qwe | |
| 1q2w3e | |
| 1q2w3e4r |
InQuest recommends monitoring mail server logs to look for these combinations of username and password attempts as it may be an indication that a Phorpiex infected host is trying to crack into your mail server. On the inverse, high-volume outbound SMTP traffic from a workstation to multiple mail servers making multiple login attempts is another high confidence indicator that the host is infected by Phorpiex or another SMTP brute force malware.
Email Building & Spreading
Once the IRC bot receives a specific command from the C&C server, with the contents being an encoded URL, a process is started on the infected host to decode that string and retrieve the arbitrary file located at the decoded URL. This file is then built into a .zip file which will ultimately be attached to the phishing email. The vast majority of headers and some email body content is created from randomized choices of hard-coded strings or randomly created strings of a certain length, such as Subject line, Email body signature, Received headers, Mailer-ID, and attachment filenames.
The email will use one of the following subject lines, with a randomized string of digits after the “#” sign:
Document #[0-9]{4}Your Document #[0-9]{4}Invoice #[0-9]{4}Payment Invoice #[0-9]{4}Your Order #[0-9]{4}Payment #[0-9]{4}Ticket #[0-9]{4}Your Ticket #[0-9]{4}
The following message body is used in the emails and is hard-coded into the payloads:
Dear Customer,
to read your document please open the attachment and reply as soon as possible.
Kind regards,
[A-Z]{3} Customer Support
Other crafted email headers, mentioned above, that are good candidates for detection within mail server, Yara, or IDS signatures include:
Received: from [aA-zZ]{5} ([ [public IP address] ]) by [domain] with MailEnable ESMTP; [date]Received: (qmail [aA-zZ]{3} invoked by uid [aA-zZ]{3}); [date]From: [First Name] [Last Name]Message-ID: [0-9]{14}.[0-9]{4}.qmail@[aA-zZ]{6]}
The public IP address mentioned above is received by contacting the public IP service “api.wipmania.com”. The service “icanhazip.com” is also seen in the malware and is used for the same purpose within a variation of the email spreading command.
It is of some note that the way in which these emails are built, from the payload creation and email message body to the email headers, has not changed since the early versions of the malware. Some samples may have more subject line variations than others, but besides that the email spreading functionality remains largely the same since the malwares inception.
Name Selection
The First and Last name parameters seen above are constructed by selecting two names from the names listed in the table below and then combining them to create a more realistic sender name:
| Names | Names | Names |
|---|---|---|
| Adolfo | Deidre | James |
| Adolph | Deirdre | Baker |
| Adrian | Delbert | Gonzalez |
| Adrian | Delia | Nelson |
| Adriana | Gilda | Carter |
| Adrienne | Gina | Mitchell |
| Agnes | Ginger | Perez |
| Agustin | Gino | Roberts |
| Ahmad | Giovanni | Turner |
| Ahmed | Gladys | Phillips |
| Aida | Glen | Campbell |
| Aileen | Glenda | Parker |
| Aimee | Glenn | Evans |
| Aisha | Glenna | Edwards |
| Beulah | Gloria | Collins |
| Beverley | Goldie | Stewart |
| Beverly | Gonzalo | Sanchez |
| Bianca | Gordon | Morris |
| Bill | Hugh | Rogers |
| Billie | Hugo | Reed |
| Billie | Humberto | Cook |
| Billy | Hung | Morgan |
| Blaine | Hunter | Bell |
| Blair | Ignacio | Murphy |
| Blake | Ilene | Jackson |
| Blanca | Imelda | White |
| Blanche | Imogene | Harris |
| Bobbi | Ines | Martin |
| Bobbie | Tania | Thompson |
| Bobby | Tanisha | Garcia |
| Bonita | Tanner | Martinez |
| Bonnie | Tanya | Robinson |
| Booker | Tara | Clark |
| Boris | Tasha | Rodriguez |
| Boyd | Taylor | Lewis |
| Brad | Taylor | Walker |
| Bradford | Teddy | Hall |
| Bradley | Terence | Allen |
| Bradly | Teresa | Young |
| Brady | Teri | Hernandez |
| Deann | Terra | King |
| Deanna | Bailey | Wright |
| Deanne | Rivera | Lopez |
| Debbie | Cooper | Hill |
| Debora | Richardson | Scott |
| Deborah | Howard | Green |
| Debra | Ward | Adams |
| Deena | Torres | Smith |
| Brown | Peterson | Johnson |
| Davis | Gray | Williams |
| Miller | Ramirez | Jones |
| Wilson | Thomas | Wood |
| Moore | Watson | Barnes |
| Taylor | Brooks | Ross |
| Anderson | Kelly | Henderson |
| Price | Sanders | Coleman |
| Bennett | Jenkins |
Payload Crafting
The payload that will ultimately be attached to the phishing email uses the name convention:
DOC[0-9]{10}.zip
This payload is crafted by first creating a file in the %TEMP% directory for a payload downloaded from the C&C server over HTTP.
The downloaded payload is saved into the %TEMP% directory and then compressed into a zip file using the naming convention described above. In recent cases, the zipped payload has been a malicious JavaScript file, or a Word document leveraging macros to retrieve the actual GandCrab and Phorpiex malware.
More details on these attachment payloads and their contents can be found in our previous blog post on GandCrab.
Detections, Mitigations, and Remediations
InQuest customers are protected against the Phorpiex family by the following published signature:
- Event ID:
5000869 - Name:
MC_Phorpiex - Confidence:
8 - Severity:
8
InQuest recommends detecting this phishing campaign by searching available mail server logs for variations of the email subjects, email header patterns, attachment names, sender name combinations, and the existence of the email body as described above in the section titled “Email Building & Spreading”.
InQuest recommends monitoring mail server logs to look for the combinations mentioned above of username and password attempts as it may be an indication that a Phorpiex infected host is trying to crack into your mail server. Inversely, high-volume outbound SMTP traffic from a workstation to multiple mail servers making a multitude of login attempts is another high confidence indicator that the originating host is infected by Phorpiex or another SMTP brute force malware.
Indicators of Compromise
E-Mail Artifacts
- C&C Server:
185.189.58[.]222 - Attachments:
DOC[0-9]{10}.zip - Mail Header:
Received: from [aA-zZ]{5} ([ [public IP address] ]) by [domain] with MailEnable ESMTP; [date] - Mail Header:
Received: (qmail [aA-zZ]{3} invoked by uid [aA-zZ]{3}); [date] - Mail Header:
From: [First Name] [Last Name] - Mail Header:
Message-ID: [0-9]{14}.[0-9]{4}.qmail@[aA-zZ]{6]} - Mail Subject:
Document #[0-9]{4} - Mail Subject:
Your Document #[0-9]{4} - Mail Subject:
Invoice #[0-9]{4} - Mail Subject:
Your Order #[0-9]{4} - Mail Subject:
Payment #[0-9]{4} - Mail Subject:
Ticket #[0-9]{4} - Mail Subject:
Your Ticket #[0-9]{4}
IP Addresses, Domains, and URLs
185.189.58[.]222(IRC C&C traffic on TCP port 5050)auoegfiaefuageudn[.]ruuwgfusubwbusswf[.]ruzfdiositdfgizdifzgif[.]ruhxxp://185.189.58.222/1.exehxxp://185.189.58.222/176.txthxxp://185.189.58.222/2.exehxxp://185.189.58.222/40.txthxxp://185.189.58.222/880.txthxxp://185.189.58.222/a.exehxxp://185.189.58.222/as.exehxxp://185.189.58.222/au.exehxxp://185.189.58.222/bam.exehxxp://185.189.58.222/bamm.exehxxp://185.189.58.222/bk.exehxxp://185.189.58.222/c.exehxxp://185.189.58.222/d.dochxxp://185.189.58.222/da.exehxxp://185.189.58.222/done.exehxxp://185.189.58.222/dong.exehxxp://185.189.58.222/ds.exehxxp://185.189.58.222/dss.exehxxp://185.189.58.222/dsss.exehxxp://185.189.58.222/dssss.exehxxp://185.189.58.222/f.exehxxp://185.189.58.222/gate.phphxxp://185.189.58.222/gc.exehxxp://185.189.58.222/gu.exehxxp://185.189.58.222/hello.exehxxp://185.189.58.222/hi.exehxxp://185.189.58.222/index.phphxxp://185.189.58.222/k.exehxxp://185.189.58.222/m.exehxxp://185.189.58.222/m/d.jshxxp://185.189.58.222/mc.exehxxp://185.189.58.222/mjs.exehxxp://185.189.58.222/mkk.exehxxp://185.189.58.222/mm.exehxxp://185.189.58.222/modules/bin/bin.binhxxp://185.189.58.222/mu.exehxxp://185.189.58.222/mud.exehxxp://185.189.58.222/ng.exehxxp://185.189.58.222/o.exehxxp://185.189.58.222/ohhi.exehxxp://185.189.58.222/ohshitman.exehxxp://185.189.58.222/ok.exehxxp://185.189.58.222/op.exehxxp://185.189.58.222/ps.exehxxp://185.189.58.222/rs.exehxxp://185.189.58.222/rz.exehxxp://185.189.58.222/s.exehxxp://185.189.58.222/s/d.jshxxp://185.189.58.222/sexy.exehxxp://185.189.58.222/sf.exehxxp://185.189.58.222/sku.exehxxp://185.189.58.222/sp.exehxxp://185.189.58.222/spam.exehxxp://185.189.58.222/spamt.exehxxp://185.189.58.222/spm.exehxxp://185.189.58.222/sry.exehxxp://185.189.58.222/st.exehxxp://185.189.58.222/t0.exehxxp://185.189.58.222/t39.exehxxp://185.189.58.222/t5.exehxxp://185.189.58.222/t85.exehxxp://185.189.58.222/test.exehxxp://185.189.58.222/try.exehxxp://185.189.58.222/tst.exehxxp://185.189.58.222/tt.exehxxp://185.189.58.222/tttt.exehxxp://185.189.58.222/ttttt.exehxxp://185.189.58.222/tu.exehxxp://185.189.58.222/tz.exehxxp://185.189.58.222/ug.exehxxp://185.189.58.222/uh.exehxxp://185.189.58.222/ut.exehxxp://185.189.58.222/wa.exehxxp://185.189.58.222/wat.exehxxp://185.189.58.222/work.exehxxp://185.189.58.222/wuh.exehxxp://185.189.58.222/x.exehxxp://185.189.58.222/ya.exe
Tags
phishing malware-analysis threat-hunting ransomware Other Blog Articles Schedule a Demo Schedule a Demo
How Effective Is Your Email Security Stack?
Did you know, 80% of malware is delivered via email? How well do your defenses stand up to today’s emerging malware? Discover how effectively your email provider’s security performs with our Email Attack Simulation. You’ll receive daily reports on threats that bypassed your defenses as well as recommendations for closing the gap. Free of charge for 30 days.
