Phorpiex Worm Pivots To Infect The Enterprise With GandCrab Ransomware


Phorpiex Worm Pivots To Infect The Enterprise With GandCrab Ransomware (Sep 27, 2018)

An unsophisticated botnet malware, dubbed “Phorpiex,” has been observed to be active in a recent campaign that is infecting machines with the “GandCrab” ransomware. This campaign attempts to infect Windows machines through USB drives, removable storage, and malspam. The Phorpiex malware has minimal evasion techniques, is not packed during delivery, and has little subtly when dropping files onto a disk or using hard-coded strings. This campaign attempts to infect compromised machines with GandCrab by targeting machines in corporate networks that operate server-side applications with poor security protocols that can be remotely accessed. It searches for internet-facing Remote Desktop Protocols (RDP) and Virtual Network Computing (VNC) end-points and once it finds one, it launches a brute force attack to compromise weak passwords. Phorpiex uses this endpoint as the initial attack vector to then install the GandCrab malware into the corporate network. The unknown threat actors appear to be targeting organisations within countries that they deem “well-off” such as Australia, Canada, Japan, and the United States.

Recommendation: Organisations need to ensure that they maintain proper security hygiene and create minimum standards of security for endpoint devices and other network-connected devices. It is important that organizations and their employees use strong passwords that are not easily-guessable and do not use the default administrative passwords provided because of their typically weak security. Update firewalls and antivirus software to ensure that systems can detect breaches or threats as soon as possible to reduce the severity of consequences. Educate employees on the dangers of phishing emails and teach them how to detect malicious emails.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.