The operators of the Phorpiex malware have reportedly shut down their botnet and are selling the source code for it on a dark web forum.
An ad claims that the two original authors of the botnet are not running it anymore, that’s why the seller has posted the source code online. The individual was previously linked to the botnet’s operation.
“As I no longer work and my friend has left the biz, I’m here to offer Trik (name from coder) / Phorpiex (name fomr AV firms) source for sell [sic],” the individual said in a forum post spotted by British security firm Cyjax.
Alexey Bukhteyev, a malware reverse engineer for security firm Check Point, confirmed the source code is probably genuine.
“As we know, the source code is private and hasn’t been sold before. Therefore, this [forum ad] looks really believable,” Bukhteyev told The Record. The description of the malware is very similar to what we saw in the code,” Bukhteyev said to the Record. “However, we can be totally sure if we buy it. The binaries are quite straightforward, and we can easily confirm that the source code is for this bot indeed, if we get it,” the researcher added.
Evidence that shows the seller is likely a real author is in the description: ‘Main bot right now is FUD from windows defender‘, because all the modules I know currently get AV detections on VT even if they are uploaded there for the first time.”
A researcher, who was able to access the server’s command and control, said that the malware’s servers were not running for almost two months.
While, according to Bukhteyev, the last command that the Phorpiex bot sent was sent on July 6, 2021, was a self-deletion command. But he says even if the C&C servers are down, a hacker can still modify them and hijack the previously infected systems.
“There are still a lot of infected machines = active bots. We can’t definitely say how many, but we constantly see many hits on our gateways,” the Check Point researcher added.
The good news is it is unclear if someone will want to buy the botnet. It has big disadvantages that may deter buyers, such as it can be hijacked by third parties to deploy their own payloads or issue rogue “uninstall” commands.