A phishing campaign consisting of “millions of messages” carrying the Lockbit Black (3.0) ransomware is being delivered by the Phorpiex botnet, Proofpoint and other cybersecurity researchers have observed.
Phorpiex is one of the oldest bots, first observed around 2011, morphing a number of times from using worms spread by removable USB drives and instant messaging apps to delivering more dangerous payloads in a ransomware-as-a-service model.
Since 2018, the botnet has been observed conducting data exfiltration and ransomware delivery activities.
Proofpoint said it began to track the high volume of messages beginning on April 24, 2024, the first time its researchers had observed samples of LockBit Black in such numbers.
What the Messages Look Like
The messages were from a fictitious “Jenny Green” and carried the email address of “[email protected]" carrying the subject “Your document” and holding a zip file “Document.zip."
The copy read:
“Hello you can find your document in the attachment.
Please reply as soon as possible.
Kind regards, GSD Support.”
Proofpoint said the executable (.exe) was downloading the LockBit Black payload from the Phorpiex botnet infrastructure. The “Jenny Green” alias emails have been be dangled in front of users since at least 2023, Proofpoint said.
As with phishing attacks, user interaction launches the executable file that starts a network callout to Phorpiex botnet infrastructure.
“The LockBit Black sample is downloaded and detonated on the end user’s system where it exhibits data theft behavior and seizes the system, encrypting files and terminating services,” Proofpoint said. An earlier campaign featured the ransomware delivered directly with no network activity.
“The combination of this with the longstanding Phorpiex botnet amplifies the scale of such threat campaigns and increases chances of successful ransomware attacks,” Proofpoint said.
At this point, Proofpoint has not attributed the campaign to a known threat actor.
Dylan Duncan, a cyber threat intelligence analyst at Cofense, which has also observed Phorpiex in high volumes, said that the version of LockBit used in the attacks is thought to have originated in a leaked variant.
“Quantity over quality is the best way to describe this campaign as the emails are very simple, sent at high volume, and do not appear to be targeting any specific sector,” Duncan said. “The emails identified by Cofense have already proven capable of successfully bypassing security infrastructure like spam filters. This is unfortunate given there aren’t any complex tactics, techniques, or procedures (TTPs) involved in the phishing emails.”
