In a recent threat analysis by Cybereason Security Services, the notorious Phorpiex botnet previously known for spam campaigns and cryptocurrency mining has been identified as a vehicle for delivering LockBit 3.0 (LockBit Black) ransomware.
While ransomware attacks have historically relied on human operators, this campaign marks a shift towards automation, leveraging Phorpiex’s capabilities to execute attacks with minimal network damage.
Phorpiex, also referred to as Trik, has retained much of its original design, even after its source code was sold in 2021.
This stability in its codebase is evident in patterns such as consistent attempts to erase Zone.Identifier files a technique used to obscure file origins and avoid detection.
Unlike traditional ransomware spreads that aim to maximize encrypted systems across a network, the LockBit variant delivered via Phorpiex focuses on precise one-machine execution.
Linking Phorpiex to LockBit Operations
Phorpiex has become a key distribution channel for LockBit ransomware due to its wide-reaching botnet infrastructure.
LockBit, recognized as a major ransomware-as-a-service (RaaS) operation, has historically targeted sectors such as logistics, finance, aviation, and energy.
Its attributes include rapid encryption, double extortion tactics (data exfiltration followed by public release threats), and an affiliate-based distribution model where profits are shared.
The collaboration between Phorpiex operators and LockBit threat actors highlights the evolving nature of cybercriminal tactics.
By utilizing a robust botnet like Phorpiex, LockBit can expand its reach to global targets while benefiting from the automation and stealth capabilities offered by Phorpiex downloaders.
Technical Analysis: Variants and Key Mechanisms
Cybereason’s investigation delves into the workings of two major Phorpiex downloader variants LockBit and TWIZT.
Phorpiex infections are typically initiated through phishing emails containing malicious ZIP files.
These ZIP files may include LNK files (in the case of TWIZT) or SCR files (LockBit), each capable of executing further malicious payloads.
The LockBit Downloader variant ensures smooth ransomware delivery by deleting URL cache files using DeleteUrlCacheEntryW, employs obfuscation techniques such as string decryption and dynamic library loading to evade detection, downloads and executes the ransomware payload from a Command-and-Control (C2) server, and removes Zone.Identifier metadata to erase traces.
The TWIZT Downloader variant achieves persistence through a registry run key, avoids re-infections by creating a placeholder JPEG file to verify unique infections, and communicates with the C2 server disguised as a legitimate application for stealth.
In comparison, the GandCrab Downloader incorporates anti-sandboxing techniques to detect virtualized environments, modifies registry settings to disable Windows Defender’s AntiSpyware, and registers itself in the Firewall Policy for persistence.
To counteract these threats, Cybereason recommends enabling application control and anti-ransomware policies, including shadow copy protection and behavioral execution prevention.
Organizations must also monitor phishing email campaigns rigorously and strengthen defense mechanisms within endpoint detection and response (EDR) systems.
As the cybersecurity landscape continues to evolve, the partnership between cybercriminal groups like LockBit and tools such as Phorpiex underscores the necessity for proactive, robust defense strategies to mitigate risks from highly adaptive and automated threats.
