Automated LockBit delivery facilitated by Phorpiex botnet

Threat actors have leveraged the Phorpiex botnet, also known as Trik, to enable automated deployment and execution of the LockBit ransomware payload as part of a new phishing attack campaign, according to Infosecurity Magazine. Malicious emails with ZIP files have been used to distribute and execute files within Windows directories and download LockBit without conducting lateral movement, with nefarious activity concealed through the deletion of the Zone.Identifier metadata while persistence is ensured by Windows registry keys, an analysis from Cybereason revealed. Other variants of Phorpiex spread the TWIZT and GandCrab backdoors, with the former featuring anti-reinfection capabilities and the latter having more stringent anti-analysis features. Such a development, which highlights the evolving strategies employed by ransomware gangs amid increasing law enforcement clampdown efforts, should prompt the implementation of enhanced email security, as well as improved registry modification tracking, said Cybereason researchers.