The Phorpiex botnet, which was previously taken down, has reappeared with new peer-to-peer command and control architecture, making it more difficult to stop. The botnet initially appeared in 2016 and has since amassed a large army of over 1 million devices.
The software makes money by switching bitcoin addresses copied to the Windows clipboard with ones under its control or sending out sextortion emails to terrify users into paying an extortion demand. Meanwhile, the Phorpiex operators shut down their infrastructure after more than five years of work and tried to sell the botnet’s source code on a hacker site.
While it’s unclear if the threat actors were able to sell their virus, Check Point researchers noticed that the infrastructure had been turned back on in September, less than two weeks after their “for sale” post. On the other hand, the command-and-control servers transmitted a new botnet variation this time, which featured some new tactics to make it more challenging to discover the operators or shut down infrastructure.
Check Point discovered Phorpiex propagating a new malware strain named “Twizt” when it restarted in September, allowing the botnet to function without centralized command and control servers. Instead, the new Twizt Phorpiex version has a peer-to-peer command and control mechanism that helps infected devices to communicate with one another even if the static command and control servers are unavailable.
The operators may even alter the IP address of the main C2 servers as needed using this new P2P infrastructure while remaining concealed among a swarm of infected Windows devices. The Twizt version has the following new features:
- A custom binary protocol (TCP or UDP) with two layers of RC4 encryption.
- A data integrity verification system.
- A peer-to-peer operation mode (no C2).
Twizt may additionally download extra payloads from the C2 server using a list of hard-coded base URLs and paths or after receiving the appropriate command. Phorpiex was once noted for its ability to perform large-scale sextortion spam operations, allowing threat actors to send over 30,000 sextortion emails every hour. The operators generated around $100,000 per month by duping individuals into paying them cryptocurrency, and they did it with great ease.
Crypto-clipping, or clipboard hijacking, is another botnet feature, which substitutes cryptocurrency wallet addresses copied to the Windows clipboard with those managed by the threat actors. When someone tries to transmit bitcoin to another address, it is instead sent to the addresses controlled by the threat actor.
People are unlikely to know their bitcoin has been stolen until they detect it has been sent to the wrong address since cryptocurrency addresses are difficult to recall. Even if the botnet’s operators are apprehended and the infrastructure is shut down, infected machines will continue to send transactions to the incorrect wallets due to the botnet’s capacity to function without a C2 or any central administration.