Phorpiex malware spreads GandCrab phishing emails

Posted on 2018-05-29 by Adam Swanda

Introduction

After analyzing the on-going GandCrab email distribution campaign, we at InQuest Labs decided to look further into the emails themselves and exactly how this malware is being propagated. Taking a second look at one of the payloads from our last analysis we found that the Phorpiex malware family acts as an email spreader for sending phishing emails with attachments. Immediately this jumped out at us as the culprit that is very likely the malware causing so much havoc across Internet mailboxes these past weeks.

By taking a closer look at the malware named in a previous blog post as "Trik" or Trik.pdb", we have now identified this as the malware family Phorpiex. Due to the families email spreader capability and unique strings found in the malware, it is highly likely to be responsible for the distribution of the GandCrab phishing campaigns we've seen in-the-wild over the past several weeks to months.

Phorpiex as a malware family has been around for several years and hasn't changed much in purpose, functionality, or code from the older samples we discovered. The primary goal is Phorpiex is to spread emails, either with or without attached files and attempt to brute force SMTP credentials. These actions are triggered by commands sent to the infected host using a built-in IRC bot, which connects to a hard-coded Command and Control server. The malware itself is not incredibly advanced, has minimal evasion techniques, is often not packed during delivery, and is not very subtle when it comes to dropping files on disk or using hard-coded strings where more advanced malware families would be using randomized characters.

Some more recent campaigns have also seen Phorpiex being used to distribute the Pony and Pushdo malware families, though with available data GandCrab appears to be the front-runner in recent months.

Family History

While all of our analyzed samples had the following PDB string:

  • C:\Users\x\Desktop\Home\Code\Trik v6.0 - WORK - doc\Release\Trik.pdb

Searching VirusTotal Intelligence for the "Trik.pdb" string reveals a significant number of samples that use the same file path with other version numbers in the Trik file path string. Some of oldest samples dating back roughly 5 years. While we are not analyzing these samples here, it is highly likely these are variants of this malware developed by the same author, and due to the frequency these samples have been uploaded to VirusTotal recently, are likely being used in another active campaign or are merely old samples that are now finally making the rounds into VirusTotal.

Some of the other older versions we found included "Trik v5.0" and "Trik v3.0". Even though the version numbers are different in these samples, the functionality and core purpose remain mostly the same.

Initial Execution

Upon execution, Phorpiex creates a copy of itself using the filename "winsvc.exe" into one of three separate directories. Other payload file names seen include "winmgr.exe". The directory is chosen by iterating over the list of options and the first one that exists, and it can write to, the payload is dropped there. The options are as follows:

  • C:\Windows
  • C:\Users\$USERNAME\%TEMP%
  • C:\Users\$USERNAME\

The payload also employs some minor evasion and anti-analysis techniques. For example, if any of the following processes are found running, the payload terminates its process:

  • tcpview.exe
  • procmon.exe
  • netstat.exe
  • wireshark.exe

Also, checks are performed to see if the sample is running within a sandbox or being debugged by checking the usual "IsDebuggerPresent", and also looking for the existence of QEMU, VirtualBox, VMWare, and SandBoxie by looking for DLL names and running processes associated with these virtualization platforms. Once these checks have been passed or instead bypassed if you are debugging and patching the binary, it continues down its installation path.

Within the chosen directory explained above, a new sub-directory is created to house to payload copy. The sub-directory name is hardcoded as M-5050502652865804205. This value is likely to change in separate batches of samples, but it appears always to be prefixed by the letter "M" and followed by a - character and 19 digits.

If this is the payloads first run, it adds itself to the Windows registry in to persist upon reboot at the following location:

  • Location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • Key: Microsoft Windows Service
  • Value: $FILEPATH\winsvc.exe

A mutex is also created but the exact string seems to vary from sample to sample.

Command & Control

The samples we analyzed used a hard-coded C&C server of 185.189.58[.]222. This is the same server seen in our previous analysis of this GandCrab campaign, and we can see the C&C server is still active in more recent samples captured in the wild.

Many other researchers, blacklist services, online sandboxes and scanners, and security vendors have also recently noted the use of this specific Command & Control server in relation to GandCrab and Phorpiex, making it clear that our discovery was indeed not an isolated case and that this malware pairing campaign has wide-spread implications for users.

The Phorpiex family uses an embedded IRC bot to communicate with this Command and Control server on TCP port 5050. The IRC bot username is created within the format of |<3 character Country Code>|[a-z]{3}. Once the bot joins the server, it will receive an instruction to join a specific channel. In the samples analyzed this channel was either "#QC" or "#SMTP", although the channel names and servers likely rotate often on a per campaign basis. Here the bot then receives commands from the botnet administrators to begin sending on phishing emails or brute forcing SMTP email addresses depending on which command is received.

The bot can also be told to download and execute an arbitrary payload from a URL, instead of spreading it via phishing emails.

The SMTP brute-forcing function can be stopped by the infected host receiving the "b.off" IRC command, while the email spreading function can be stopped by receiving the "m.off" IRC command. Also, the command "rmrf" will completely remove the Phorpiex payload from the Windows Registry and its installed directories.

Outside of IRC command and control, when HTTP requests are made to the same C&C Host or one of the decoded URLs the following HTTP User-Agent has been seen in use:

  • Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0

The existence of this specific user-agent seen in HTTP traffic to the IP address listed above, or when downloading Windows executable files, is a high confidence Indicator of Compromise, and the affected system should be investigated immediately.

SMTP Brute Force

Phorpiex can receive an IRC command which causes the infected host to brute force SMTP accounts from a provided list of mail servers which is received from the C&C server. Once started, the brute force functionality will attempt to use each combination of the following username and passwords, shown in the table below, for login attempts against the SMTP servers:

Username/Passwords Usernames/Passwords
test guest1
test1 guest123
test123 testing
info upload
admin tester
webmaster testuser1
postmaster 12345
contact 123456
12345 1234567
123456 12345678
1234567 123456789
12345678 1234567890
123123 123123
test admin
test1 admin1
test123 admin123
test1234 admin1234
info administrator
admin ftpadmin
admin1 ftpuser
Password1 guest1
password guest123
1q2w3e Password1
1q2w3e4r passw0rd
q1w2e3r4 password
postmaster password1
admin q1w2e3r4
administrator q1w2e3r4t5
test qwerty
test1 qwerty123
test123 temp
user temp123
testuser test
info test1
ftpuser test123
ftpadmin test1234
support testing
backup upload
guest abc123
123qwe
1q2w3e
1q2w3e4r

InQuest recommends monitoring mail server logs to look for these combinations of username and password attempts as it may be an indication that a Phorpiex infected host is trying to crack into your mail server. On the inverse, high-volume outbound SMTP traffic from a workstation to multiple mail servers making multiple login attempts is another high confidence indicator that the host is infected by Phorpiex or another SMTP brute force malware.

Email Building & Spreading

Once the IRC bot receives a specific command from the C&C server, with the contents being an encoded URL, a process is started on the infected host to decode that string and retrieve the arbitrary file located at the decoded URL. This file is then built into a .zip file which will ultimately be attached to the phishing email. The vast majority of headers and some email body content is created from randomized choices of hard-coded strings or randomly created strings of a certain length, such as Subject line, Email body signature, Received headers, Mailer-ID, and attachment filenames.

The email will use one of the following subject lines, with a randomized string of digits after the "#" sign:

  • Document #[0-9]{4}
  • Your Document #[0-9]{4}
  • Invoice #[0-9]{4}
  • Payment Invoice #[0-9]{4}
  • Your Order #[0-9]{4}
  • Payment #[0-9]{4}
  • Ticket #[0-9]{4}
  • Your Ticket #[0-9]{4}

The following message body is used in the emails and is hard-coded into the payloads:

Dear Customer,
to read your document please open the attachment and reply as soon as possible.

Kind regards,

[A-Z]{3} Customer Support

Other crafted email headers, mentioned above, that are good candidates for detection within mail server, Yara, or IDS signatures include:

  • Received: from [aA-zZ]{5} ([ [public IP address] ]) by [domain] with MailEnable ESMTP; [date]
  • Received: (qmail [aA-zZ]{3} invoked by uid [aA-zZ]{3}); [date]
  • From: [First Name] [Last Name]
  • Message-ID: [0-9]{14}\.[0-9]{4}\.qmail@[aA-zZ]{6]}

The public IP address mentioned above is received by contacting the public IP service "api.wipmania.com". The service "icanhazip.com" is also seen in the malware and is used for the same purpose within a variation of the email spreading command.

It is of some note that the way in which these emails are built, from the payload creation and email message body to the email headers, has not changed since the early versions of the malware. Some samples may have more subject line variations than others, but besides that the email spreading functionality remains largely the same since the malwares inception.

Name Selection

The First and Last name parameters seen above are constructed by selecting two names from the names listed in the table below and then combining them to create a more realistic sender name:

Names Names Names
Adolfo Deidre James
Adolph Deirdre Baker
Adrian Delbert Gonzalez
Adrian Delia Nelson
Adriana Gilda Carter
Adrienne Gina Mitchell
Agnes Ginger Perez
Agustin Gino Roberts
Ahmad Giovanni Turner
Ahmed Gladys Phillips
Aida Glen Campbell
Aileen Glenda Parker
Aimee Glenn Evans
Aisha Glenna Edwards
Beulah Gloria Collins
Beverley Goldie Stewart
Beverly Gonzalo Sanchez
Bianca Gordon Morris
Bill Hugh Rogers
Billie Hugo Reed
Billie Humberto Cook
Billy Hung Morgan
Blaine Hunter Bell
Blair Ignacio Murphy
Blake Ilene Jackson
Blanca Imelda White
Blanche Imogene Harris
Bobbi Ines Martin
Bobbie Tania Thompson
Bobby Tanisha Garcia
Bonita Tanner Martinez
Bonnie Tanya Robinson
Booker Tara Clark
Boris Tasha Rodriguez
Boyd Taylor Lewis
Brad Taylor Walker
Bradford Teddy Hall
Bradley Terence Allen
Bradly Teresa Young
Brady Teri Hernandez
Deann Terra King
Deanna Bailey Wright
Deanne Rivera Lopez
Debbie Cooper Hill
Debora Richardson Scott
Deborah Howard Green
Debra Ward Adams
Deena Torres Smith
Brown Peterson Johnson
Davis Gray Williams
Miller Ramirez Jones
Wilson Thomas Wood
Moore Watson Barnes
Taylor Brooks Ross
Anderson Kelly Henderson
Price Sanders Coleman
Bennett Jenkins

Payload Crafting

The payload that will ultimately be attached to the phishing email uses the name convention:

  • DOC[0-9]{10}.zip

This payload is crafted by first creating a file in the %TEMP% directory for a payload downloaded from the C&C server over HTTP.

The downloaded payload is saved into the %TEMP% directory and then compressed into a zip file using the naming convention described above. In recent cases, the zipped payload has been a malicious JavaScript file, or a Word document leveraging macros to retrieve the actual GandCrab and Phorpiex malware.

More details on these attachment payloads and their contents can be found in our previous blog post on GandCrab.

Detections, Mitigations, and Remediations

InQuest customers are protected against the Phorpiex family by the following published signature:

  • Event ID:    5000869
  • Name:         MC_Phorpiex
  • Confidence:  8
  • Severity:     8

InQuest recommends detecting this phishing campaign by searching available mail server logs for variations of the email subjects, email header patterns, attachment names, sender name combinations, and the existence of the email body as described above in the section titled "Email Building & Spreading".

InQuest recommends monitoring mail server logs to look for the combinations mentioned above of username and password attempts as it may be an indication that a Phorpiex infected host is trying to crack into your mail server. Inversely, high-volume outbound SMTP traffic from a workstation to multiple mail servers making a multitude of login attempts is another high confidence indicator that the originating host is infected by Phorpiex or another SMTP brute force malware.

Indicators of Compromise

E-Mail Artifacts

  • C&C Server:    185.189.58[.]222
  • Attachments:  DOC[0-9]{10}.zip
  • Mail Header:  Received: from [aA-zZ]{5} ([ [public IP address] ]) by [domain] with MailEnable ESMTP; [date]
  • Mail Header:  Received: (qmail [aA-zZ]{3} invoked by uid [aA-zZ]{3}); [date]
  • Mail Header:  From: [First Name] [Last Name]
  • Mail Header:  Message-ID: [0-9]{14}\.[0-9]{4}\.qmail@[aA-zZ]{6]}
  • Mail Subject: Document #[0-9]{4}
  • Mail Subject: Your Document #[0-9]{4}
  • Mail Subject: Invoice #[0-9]{4}
  • Mail Subject: Your Order #[0-9]{4}
  • Mail Subject: Payment #[0-9]{4}
  • Mail Subject: Ticket #[0-9]{4}
  • Mail Subject: Your Ticket #[0-9]{4}

IP Addresses, Domains, and URLs

  • 185.189.58[.]222 (IRC C&C traffic on TCP port 5050)
  • auoegfiaefuageudn[.]ru
  • uwgfusubwbusswf[.]ru
  • zfdiositdfgizdifzgif[.]ru
  • hxxp://185.189.58.222/1.exe
  • hxxp://185.189.58.222/176.txt
  • hxxp://185.189.58.222/2.exe
  • hxxp://185.189.58.222/40.txt
  • hxxp://185.189.58.222/880.txt
  • hxxp://185.189.58.222/a.exe
  • hxxp://185.189.58.222/as.exe
  • hxxp://185.189.58.222/au.exe
  • hxxp://185.189.58.222/bam.exe
  • hxxp://185.189.58.222/bamm.exe
  • hxxp://185.189.58.222/bk.exe
  • hxxp://185.189.58.222/c.exe
  • hxxp://185.189.58.222/d.doc
  • hxxp://185.189.58.222/da.exe
  • hxxp://185.189.58.222/done.exe
  • hxxp://185.189.58.222/dong.exe
  • hxxp://185.189.58.222/ds.exe
  • hxxp://185.189.58.222/dss.exe
  • hxxp://185.189.58.222/dsss.exe
  • hxxp://185.189.58.222/dssss.exe
  • hxxp://185.189.58.222/f.exe
  • hxxp://185.189.58.222/gate.php
  • hxxp://185.189.58.222/gc.exe
  • hxxp://185.189.58.222/gu.exe
  • hxxp://185.189.58.222/hello.exe
  • hxxp://185.189.58.222/hi.exe
  • hxxp://185.189.58.222/index.php
  • hxxp://185.189.58.222/k.exe
  • hxxp://185.189.58.222/m.exe
  • hxxp://185.189.58.222/m/d.js
  • hxxp://185.189.58.222/mc.exe
  • hxxp://185.189.58.222/mjs.exe
  • hxxp://185.189.58.222/mkk.exe
  • hxxp://185.189.58.222/mm.exe
  • hxxp://185.189.58.222/modules/bin/bin.bin
  • hxxp://185.189.58.222/mu.exe
  • hxxp://185.189.58.222/mud.exe
  • hxxp://185.189.58.222/ng.exe
  • hxxp://185.189.58.222/o.exe
  • hxxp://185.189.58.222/ohhi.exe
  • hxxp://185.189.58.222/ohshitman.exe
  • hxxp://185.189.58.222/ok.exe
  • hxxp://185.189.58.222/op.exe
  • hxxp://185.189.58.222/ps.exe
  • hxxp://185.189.58.222/rs.exe
  • hxxp://185.189.58.222/rz.exe
  • hxxp://185.189.58.222/s.exe
  • hxxp://185.189.58.222/s/d.js
  • hxxp://185.189.58.222/sexy.exe
  • hxxp://185.189.58.222/sf.exe
  • hxxp://185.189.58.222/sku.exe
  • hxxp://185.189.58.222/sp.exe
  • hxxp://185.189.58.222/spam.exe
  • hxxp://185.189.58.222/spamt.exe
  • hxxp://185.189.58.222/spm.exe
  • hxxp://185.189.58.222/sry.exe
  • hxxp://185.189.58.222/st.exe
  • hxxp://185.189.58.222/t0.exe
  • hxxp://185.189.58.222/t39.exe
  • hxxp://185.189.58.222/t5.exe
  • hxxp://185.189.58.222/t85.exe
  • hxxp://185.189.58.222/test.exe
  • hxxp://185.189.58.222/try.exe
  • hxxp://185.189.58.222/tst.exe
  • hxxp://185.189.58.222/tt.exe
  • hxxp://185.189.58.222/tttt.exe
  • hxxp://185.189.58.222/ttttt.exe
  • hxxp://185.189.58.222/tu.exe
  • hxxp://185.189.58.222/tz.exe
  • hxxp://185.189.58.222/ug.exe
  • hxxp://185.189.58.222/uh.exe
  • hxxp://185.189.58.222/ut.exe
  • hxxp://185.189.58.222/wa.exe
  • hxxp://185.189.58.222/wat.exe
  • hxxp://185.189.58.222/work.exe
  • hxxp://185.189.58.222/wuh.exe
  • hxxp://185.189.58.222/x.exe
  • hxxp://185.189.58.222/ya.exe

phishing malware-analysis threat-hunting ransomware