After analyzing the on-going GandCrab email distribution campaign, we at InQuest Labs decided to look further into the emails themselves and exactly how this malware is being propagated. Taking a second look at one of the payloads from our last analysis we found that the Phorpiex malware family acts as an email spreader for sending phishing emails with attachments. Immediately this jumped out at us as the culprit that is very likely the malware causing so much havoc across Internet mailboxes these past weeks.
By taking a closer look at the malware named in a previous blog post as "Trik" or Trik.pdb", we have now identified this as the malware family Phorpiex. Due to the families email spreader capability and unique strings found in the malware, it is highly likely to be responsible for the distribution of the GandCrab phishing campaigns we've seen in-the-wild over the past several weeks to months.