Phorpiex as the distribution layer: Forcepoint attributed the email distribution in this campaign to the Phorpiex botnet, also known as Trik. Phorpiex has been operating for more than a decade and is known for maintaining a large global footprint capable of delivering spam at scale. In this campaign, infected systems within the botnet are used to send phishing emails directly, rather than relying on newly registered infrastructure.The botnet’s role looks limited to delivery. Once a victim executes the malicious attachment, Phorpiex itself does not participate further in the intrusion chain.”This campaign demonstrates how long-standing malware families like Phorpiex remain highly effective when paired with simple but reliable phishing techniques,” the researchers said. “By exploiting familiar file types such as Windows shortcut files, attackers can gain initial access with minimal friction, enabling a smooth transition to high-impact payloads like Global Group Ransomware.” Global Group operates offline: Global Group ransomware, the final payload in the chain, was identified by Forcepoint as a successor to the Mamona ransomware family. The ransomware operates entirely offline. It generates its encryption keys locally and does not require communication with a remote server to complete file encryption.According to the researchers, this design significantly limits network-based detection opportunities. “Despite the claims made in its ransom note, GLOBAL GROUP conducts no data exfiltration and is fully capable of executing in offline or air”‘gapped environments,” they said. “This offline”‘only design also increases its likelihood of evading detection in networks where monitoring efforts rely primarily on observing suspicious or anomalous traffic.”During execution, Global Group encrypts user files using the “ChaCha20-Poly1305” algorithm and appends a new file extension. It also drops a ransom note instructing victims to contact the attackers through anonymized channels to obtain payment instructions. The researchers shared a list of indicators to support detection efforts. “This trend toward quiet, self-contained ransomware underscores the importance of prioritising endpoint behaviour monitoring over network activity alone,” they said.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4130019/windows-shortcut-weaponized-in-phorpiex-linked-ransomware-campaign.html
