New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


Phorpiex Botnet Returns with New Tricks

The previously shutdown Phorpiex botnet has re-emerged with new peer-to-peer command and control infrastructure, making the malware more difficult to disrupt. The botnet first launched in 2016 and quickly accumulated a massive army of over 1 million devices over the years. The malware generates revenue for its developers by swapping cryptocurrency addresses copied to the Windows clipboard with addresses under their control or by spamming sextortion emails to scare people into paying an extortion demand. However, after over five years of development, the Phorpiex operators shut down their infrastructure and tried to sell the botnet’s source code on a hacking forum. While it is unknown if the threat actors could sell their malware, researchers from Check Point saw that the infrastructure had turned back on in September, less than two weeks after their “for sale” post. This time, though, the command-and-control servers (C2) distributed a new botnet variant that included some new tricks to make it harder to find the operators or take down infrastructure. When Phorpiex relaunched in September, Check Point saw it distributing a new malware variant called “Twizt” that allows the botnet to operate without centralized command-and-control servers. Instead, the new Twizt Phorpiex variant added a peer-to-peer command and control system that allows the various infected devices to relay commands to each other if the static command-and-control servers were offline. “Simultaneously, the C&C servers started distributing a bot that had never seen before. It was called “Twizt” and enables the botnet to operate successfully without active C&C servers, since it can operate in peer-to-peer mode.,” explained the new report by Check Point. “This means that each of the infected computers can act as a server and send commands to other bots in a chain.” This new P2P infrastructure also allows the operators to change the IP address of the main C2 servers as necessary while remaining hidden within a swarm of infected Windows machines. Phorpiex was previously known for delivering large-scale sextortion spam campaigns, allowing the threat actors to spam over 30,000 sextortion emails per hour. The operators made roughly $100k per month by tricking people into sending them crypto and did so relatively effortlessly. The botnet also uses crypto-clipping, or a clipboard hijacker, that replaces cryptocurrency wallet addresses copied to the Windows clipboard with those controlled by the threat actors. So now when a person attempts to send cryptocurrency to another address, it is sent to the ones under the threat actor’s control instead. As cryptocurrency addresses are hard to remember, people will likely not realize that their cryptocurrency was stolen until they notice it went to the wrong address.

Analyst Notes

There are several best practices that can help protect against threats like Phorpiex. When performing cryptocurrency transactions, make sure to double-check that the pasted wallet address is indeed the correct one prior to submitting the payment. Performing a small test transaction before sending a large amount is also a reasonable precaution to avoid losing much money. Update operating systems and installed applications to fix vulnerabilities as soon as possible. Finally, be sure not to mistakenly click on an ad when searching for cryptocurrency wallets and tools, as these ads commonly lead to scams.