Phorpiex botnet is back: Hijacking Hundreds of crypto transactions

Phorpiex, an old threat known since 2016, was initially known as a botnet that operated using IRC protocol (also known as Trik).
In 2018-2019 Phorpiex switched to modular architecture and the IRC bot was replaced with Tldr – a loader controlled through HTTP that became a key part of the Phorpiex botnet infrastructure.
In Check Point’s 2019 Phorpiex Breakdown research report, they estimated over 1,000,000 computers were infected with Tldr.

Phorpiex is mostly known for its massive sextortion spam campaigns, crypto-jacking (cryptocurrency mining infected machines), spreading ransomware, and cryptocurrency clipping.
In the summer of 2021, the activity of Phorpiex command and control servers (C&C) dropped sharply.
The C&C servers were shut down in July, and there was no activity for about two months.
On August 27 an announcement was spotted on an underground forum, allegedly from the botnet owners, that stated they were going out of business and sold off the source code.

From this announcement, it seemed that the botnet was developed and controlled by two individuals.
Check Point don’t know if the botnet was actually sold.
However, less than two weeks later, the C&C servers were back online at another IP address (185.215.113[.]66) of the same sub-network and later switched to 185.215.113[.]84

Simultaneously, the C&C servers started distributing a bot that had never seen before.
It was called “Twizt” and enables the botnet to operate successfully without active C&C servers, since it can operate in peer-to-peer mode.
This means that each of the infected computers can act as a server and send commands to other bots in a chain.
As a really large number of computers are connected to the Internet through NAT routers and don’t have an external IP address, the Twizt bot reconfigures home routers that support UPnP and sets up port mapping to receive incoming connections.
The new bot uses its own binary protocol over TCP or UDP with two layers of RC4-encryption.
It also verifies data integrity using RSA and RC6-256 hash function.

The emergence of such features suggests that the botnet may become even more stable and therefore, more dangerous.

Sign Up For Threat Alerts

Threats Icon

Jan 18, 2022

Destructive malware targeting Ukrainian organizations

Microsoft Threat Intelligence Center (MSTIC) has identified evidence of a destructive malware operation targeting multiple...

Threats Icon

Jan 17, 2022

Iranian MOIS hacker group MuddyWater

Iranian MOIS hacker group MuddyWater is using a suite of malware to conduct espionage and...

Threats Icon

Jan 16, 2022

Abcbot – An Evolution of Xanthe

Abcbot, the emerging botnet that was recently analyzed and reported on, has a longer history...

Threats Icon

Jan 13, 2022

Night Sky is the latest ransomware targeting...

According to MalwareHunterTeam, who first spotted the new ransomware, the Night Sky operation has two...

Threats Icon

Jan 12, 2022

New SysJoker Backdoor Targets Windows, Linux, and...

Malware targeting multiple operating systems has become no exception in the malware threat landscape. Vermilion...

Threats Icon

Jan 10, 2022

New Konni Campaign Targeting Russian Ministry Of...

Black Lotus Labs, the threat research team of Lumen Technologies, uncovered a series of targeted...

Threats Icon

Jan 09, 2022

Elephant Beetle

Sygnia's Incident Response (IR) team has been tracking a financially motivated threat group targeting and...

Threats Icon

Jan 06, 2022

A Simple Batch File That Blocks Computer...

The script uses the BlockInput() API call through a PowerShell one-liner, which blocks interaction with...

Threats Icon

Jan 05, 2022

New Zloader Banking Malware Campaign Exploiting Microsoft...

An ongoing ZLoader malware campaign has been uncovered exploiting remote monitoring tools and a nine-year-old...

Threats Icon

Jan 04, 2022

Malicious Telegram Installer Drops Purple Fox Rootkit

This installer is a compiled AutoIt (a freeware BASIC-like scripting language designed for automating Windows...

Threats Icon

Jan 04, 2022

The dirty dozen of Latin America: From...

Latin American banking trojans are an ongoing, evolving threat They target mainly Brazil, Spain, and...

Threats Icon

Jan 02, 2022

Flagpro: The new malware used by BlackTech

BlackTech has been actively attacking, some attack cases against Japanese companies were observed. BlackTech uses...

Threats Icon

Dec 29, 2021

Dridex Distributed with “Merry Christmas!” Excel File

Dridex is a banking malware that collects a user's banking credentials and performs malicious behaviors...

Threats Icon

Dec 28, 2021

New Rook Ransomware Feeds Off the Code...

Rook claimed its first victim: a Kazkh financial institution from which the Rook operators had...

Threats Icon

Dec 27, 2021

Malicious Notepad++ installers push StrongPity malware

The sophisticated hacking group known as StrongPity is circulating laced Notepad++ installers that infect targets...