Phorpiex bots target remote access servers to deliver ransomware

Get a copy of the upcoming book "Secure Operations Technology"

Threat actors are brute-forcing their way into enterprise endpoints running server-side remote access applications and attempting to spread the GandCrab ransomware onto other enterprise computers, SecurityScorecard researchers are warning.

Their weapon of choice is Phorpiex/Trik, a bot with worm capabilities that allows it to spread to other systems by copying itself to USBs and other removable drives.

target remote access servers

The campaign

This rather unsophisticated piece of malware scans the internet for Remote Desktop Protocol (RDP) and Virtual Network Computing (VNC) servers and tries to gain access to these devices by running through a list of widely used usernames and passwords (“password”, “test”, “testing”, “server”, “admin”, “123123”, “123456”, and similar).

The malware randomly generates a target’s IP address and tries to connect to it through port 5900. If it succeeds, it inserts the ransomware and leaves the user with locked files and a ransom request.

“The computers infected with Phorpiex are not the same as the computers that are targeted for ransomware infection. This means that Phorpiex still has most of its bots at the bot master’s disposal to do the other malicious activities, such as DDoS, brute-forcing, etc.,” Paul Gagliardi, the company’s director of threat intelligence, told Help Net Security.

“Initially they just distributed the ransomware, and the ransomware was instantly encrypting the files. However, in last two days, they started to distribute a Phorpiex executable to the exploited systems. It’s possible that either they themselves are distributing the ransomware or that they are doing it on behalf of someone else who rented their distribution services. ”

The researchers have keeping tabs on the campaign by sinkholing inactive Phorpiex domains and connecting to active ones after making their own systems appear to be compromised by the bot and listening for updates and commands.

“We don’t know how many computers were compromised with the ransomware via port 5900, but we know that there are 68,000 unique IPs infected with Phorpiex which are actively trying to infect computers with it,” Gagliardi shared.

Currently, the ransomware is being delivered mostly to systems in the US, Canada, certain European countries, Turkey, China, Japan, Taiwan and Australia.

Advice for potential targets

The researchers advise users to make sure that the password for their RDP and VNC servers is a strong one (long, complex and unique) and to regularly run virus protection on all removable media.

“If you notice that your computer is contacting other computers on port 5900 and you are not using remote access applications, then you might be infected with Phorpiex and you should take actions towards removing the infection,” they noted.

They also warned that, in general, all threats are evolving and companies should constantly evaluate their cybersecurity controls (and those of their partners) for efficacy and make needed changes to stay ahead of the attackers.