Win/Phorpiex Worm

Original Issue Date:- July 17, 2019

Virus Type:- Worm

Severity:- High

It has been reported that the variants of a worm named as “phorpiex” is spreading. The worm mainly targets the windows operating systems and spreads by means of removable devices and instant messaging software. The malware may also arrive on the system as a result of drive-by-download or files created by other malware. The malware is capable of performing the following functions:

Allows backdoor access and control
Creates hidden folder in removable drives containing a copy of malware and creates shortcut pointing to those hidden folders.
Malware checks for messaging software in computer such as AIM, Google Talk, ICQ, Paltalk, Windows Live Messenger, Xfire chat, if found, then worm sends a malicious link using these messenger automatically.
Make network connections to IRC server and receive commands from the remote server indicating malicious actions to be performed
Chenge firewall settings to authorize itself to access the internet without any barrier.
Act as a platform for sending phishing emails containing other malware such as GandCrab.
Malware uses anti analysis techniques and terminates itself if analysis tools are found running.

Indicators of Compromise:

File system changes:

Malware upon spreading via removable drives makes a copy of itself in following directory:

%USERPROFILE%\M-1-52-5782-8752-5245
C:\Users\$USERNAME\%TEMP%
C:\Windows

File names used by the malware while copying it are:

windsrcn.exe
winmgr.exe
winsam.exe
winsam.exe
winsrvc.exe
winsvc.exe

It creates “autorun.inf” file in root directory of targeted drive to spread itself via removable drives.

Registry Changes:

In subkey:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Microsoft Windows Update"
With data: "%USERPROFILE%\M-1-52-5782-8752-5245\winsvc.exe"

Malware Hashes:

c3727564b74452f0f7eae38ad8f13808
f6b48dc6144f175c75c6c142ae8d3ffe
b6fffc0fca2276a76ecec891039bdaa1
7ba150c8808edf187a1ccf8d0532d0732fff2bbe28f76d6e2f02f8196669dd06
0b4996c03b059d1a10349f715b6b21ad9926912faae834581f0c96b24ff1b33f
9f3f80167c5d39efb9e81507efec6d9bdc5e31323f9d6d89630374c7fe490f33
ef1563a962d2d86ceb1dd09056f87fcab4c32e3ca6481c51950d3b6db49d1087
5bf79a111467a85abe57f1f3e92f2279b277cccae53ed28c584267717ba372f8
2035ef02a014f9ae2a21d39c98604ca4863d77c47dcc12d31bb9b7b2d3e5fc98
3df16261b28f30683dce6a66331452f4ddc1d3472fb194ff5b505270a8f64311

Network Communication:

185[.]189[.]58[.]222
zfdiositdfgizdifzgif[.]ru
uwgfusubwbusswf[.]ru
auoegfiaefuageudn[.]ru
92[.]63[.]197[.]106 :5050
112[.]126[.]94[.]107 :5050
123[.]56[.]228v49 :5050
220[.]181[.]87[.]80 :5050
185[.]189[.]58[.]222 :5050

Countermeasures:

Monitor and block network traffic and systems making connections to the above mentioned domain/IPs at firewall, IDS, web gateways, routers or other perimeter based devices.
Delete the file system and registry changes made by the malware.
Disable the Autorun functionality in Windows
http://support.microsoft.com/kb/967715
Keep up-to-date patches and fixes on the operating system and application software.
Keep up-to-date Antivirus and Antispyware signatures at desktop and gateway level.
Application whitelisting/Strict implementation of Software Restriction Policies (SRP) to block binaries running from %APPDATA% and %TEMP% paths. Ransomware sample drops and executes generally from these locations.
Don't open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization's website directly through browser.
Block the attachments of file types, exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf.
Consider encrypting the confidential data as the ransomware generally targets common file types.
Exercise caution while visiting links to Web pages.
Do not visit untrusted websites.
Use strong passwords and also enable password policies.
Enable firewall at desktop and gateway level.
Protect yourself against social engineering attacks.

References: