Research by: Gil Mansharov, and Alexey Bukhteyev, Check Point Research
Rilispedia.com – According to its 2018 Annual publication, The FBI IC3 (Internet Crime Complaint Center) reports a rise of 242% in extortion emails, the majority of which are sextortion emails, with total losses of $83 million in reported crimes.
The idea behind sextortion is simple – an email demands blackmail payment threatening to expose sexual content relating to the recipient if not obeyed. Many of us received such emails or know others that have. Few have paid the requested funds, but is it possible that this morning you yourself have unknowingly distributed 15,000 sextortion emails to innocent victims?
Investigating into this current trend Check Point Research has exposed a botnet that does precisely that: it uses the many thousands of infected hosts under its control to deliver millions of threats to innocent recipients.
Phorpiex (aka Trik) botnet has been active for almost a decade and currently operates more than 450,000 infected hosts. In the past Phorpiex monetised mostly by distributing various other malware families including GandCrab, Pony, Pushdo and used its hosts to mine cryptocurrency utilising various cryptominers, but recently Phorpiex has added a new form of revenue generation to its abilities; A spam bot described in the following article is used by Phorpiex to run large scale sextortion campaigns.
In the 5 months period that we have been monitoring this operation we recorded transfers of more than 11 BTC to the wallets of Phorpiex sextortion – currently over US$110,000. This may not sound much but for a low maintenance operation requiring only a large credentials list and the occasional replacement of a wallet this provides for a nice US$22,000 monthly income.
Phorpiex uses a spam bot that downloads a database of email addresses from a C&C server. What happens next is that an email address is randomly selected from the downloaded database, and a message is composed from several hardcoded strings. The spam bot can produce a large amount of spam emails – up to 30,000 per hour. Each individual spam campaign can cover up to 27 million potential victims.
The spam bot creates a total of 15,000 threads to send spam messages from one database. Each thread takes a random line from the downloaded file. The next database file is downloaded when all spam threads finish. If we consider the delays, we can estimate that bot is able to send about 30,000 emails in an hour.
Phorpiex uses databases with leaked passwords in combination with email addresses. A victim’s password is usually included in an email message to make it more persuasive, showing that their password is known to the hacker. Emails in this attack start with the password to shock the victim.
The below is an example we saw:
To send emails, Phorpiex uses a simple implementation of the SMTP protocol. The address of SMTP server is derived from the domain name of an email address. After establishing a connection to the SMTP server and receiving an invitation message, the spam bot sends a message with its own external IP address.
It works as follows:
- Spam bot takes an email from the spam database, for example: “firstname.lastname@example.org“
- Takes domain name from this email: “somedomain.com“
- Resolves DNS MX record of the domain “somedomain.com“.
- Connects to the 25 TCP port (default port of SMTP server) of the resolved domain by IP address
- Sends an email using SMTP as described in the blog post.
So, the spam bot doesn’t use mail client, or email accounts of an infected computer. Actually, it uses only IP addresses of infected computers. Emails are sent on behalf of a random email address.
Therefore, sextortion emails don’t appear in the Outbox/Sent Items.
Bitcoin Wallets used to Collect Revenue
We saw how threat actors try to extort money, but how successful the campaign actually is?
Check Point Research monitored the campaign and the Bitcoin wallets extracted from every Spam Bot that we spotted since April 2019, and we found that more than 11 BTC (over US$110,000) were transferred to those wallets in total. The actual revenue number collected is likely more significant, since we did not monitor the sextortion campaigns in the years before.
Given the number of incoming transactions to these wallets, we can also estimate the total number of victims affected by this campaign. Therefore, approximately 150 victims paid the attackers over the span of five months. Although this is a very small percentage considering the number of emails that the spam bot is capable of generating, it still means that this simple scam technique was successful.
On the other hand, passwords from leaked databases such as used in Sextortion campaign are generally related to other resources than victim’s email. The passwords are most often irrelevant, and the value of such data is quite low. Therefore, such databases can be even found in free access, or they are sold for a small price. It’s difficult to think out how intruders can use such kind of data for making profits. However, Phorpiex actors came up with such a method of monetisation of their botnet using this database that made it possible to obtain reasonable profits.
Leaked credential lists, containing passwords that are often not compatible with their linked email addresses, are a common inexpensive commodity. Phorpiex, a veteran botnet, has found a way to use them to generate a low maintenance, easy income on a long term basis. This new activity might be connected with the termination of Gandcrab, a ransomware that Phorpiex used to distribute, or just because plain text emails still manage to infiltrate many cyber defense lines. In any case, Phorpiex, which currently operates more than 450,000 infected hosts, is continuously propagating sextortion emails – in the millions.