‘Save Yourself’ sextortion campaign targets 27 million victims in their inboxes

‘Save Yourself’ sextortion campaign targets 27 million victims in their inboxes

A well-established botnet and malware agent is now engaged in a new large-scale sextortion campaign by acting as a spambot to target innocent recipients.

According to Check Point Research, the creators of the Phorpiex (aka Trik) botnet added this revenue generation ability to trick victims into transferring more than 11BTC (~$89,370) to the threat actors’ wallets over the course of five months.

First documented in 2016, the Phorpiex botnet has been exploited by multiple threat actors to distribute malicious payloads. The botnet — which currently operates over 450,000 infected hosts — has been a distributor for all kinds of malware, including GandCrab, Pushdo, Pony, and even employing the hosts to mine cryptocurrencies.

Indeed, the latest development comes as researchers from cybersecurity firm Reason discovered the sextortion malware — dubbed “Save Yourself” — infecting the hosts to also leverage the systems to secretly mine privacy-focused cryptocurrency Monero.

The modus operandi in itself is fairly simple: the botnet downloads a database of email addresses from a command-and-control server, and a message is composed to a victim at random using standard email protocols, urging the individual to pay up or risk having their sexual content exposed on the internet.

Aside from issuing the threat, the email contains the recipient’s password to make the spam email more persuasive.

The spambot can produce a large amount of spam emails, as much as 30,000 per hour, with each individual spam campaign covering up to 27 million potential victims.

“The recipients of sextortion emails are from all around the world, because Phorpiex uses databases of leaked credentials similar to databases of Have I been Pwned?,” Check Point researcher Alexey Bukhteyev told TNW.

Although the operators behind the campaign are as yet unknown, Bukhteyev said almost 25 percent of the infected hosts are located in India.

The fact that plain text spam emails continue to bypass security barriers is a cause for concern.

“Leaked credential lists, containing passwords that are often not compatible with their linked email addresses, are a common inexpensive commodity,” the researchers concluded. “Phorpiex, a veteran botnet, has found a way to use them to generate a low maintenance, easy income on a long term basis.”

Read next: Cryptojacking worm uses Docker to infect over 2,000 systems to secretly mine Monero