Phorpiex is a well-known malware that has been operating at least since 2016, initially known as a botnet using the IRC protocol. A couple of years later, the botnet’s infrastructure changed to Tldr – a loader controlled via HTTP.
In August 2021, its operators stated that they were going out of business, according to a post on an underground forum. However, a couple of weeks later, Phorpiex was back with a new IP address.
According to a Check Point report, this is when “simultaneously, the C&C servers started distributing a bot that had never seen before.”
Twizt Botnet: a New Variant of Phorpiex
Called Twizt, the malware can operate successfully without active C&C, as it can operate in peer-to-peer mode. In other words, each infected device can act as a server and send commands to other bots in the chain.
“As a really large number of computers are connected to the Internet through NAT routers and don’t have an external IP address, the Twizt bot reconfigures home routers that support UPnP and sets up port mapping to receive incoming connections,” Check Point added.
In terms of its malicious functionalities, the new Twizt bot uses its own binary protocol over TCP or UDP with two layers of RC4 encryption. It’s also capable of verifying data integrity via RSA and RC6-256 hash function.
According to the report, Phorpiex has victimized millions of users worldwide throughout the year:
In our telemetry throughout the year, we saw an almost constant number of Phorpiex victims, which persisted even during periods of the C&C servers’ inactivity. The numbers began to increase over the last 2 months. In 2021, Phorpiex bots were found in 96 countries. Most Phorpiex victims are located in Ethiopia, Nigeria and India.
The botnet has been used in sextortion and crypto mining campaigns. Attempts to monetize crypto-clipping attacks haven’t been that significant, but now it seems that its operators are upping their game in this direction with the Twizt version.
What Is Crypto-Clipping?
Shortly said, it is the type of attacks targeted at stealing cryptocurrency during a transaction. This is done by replacing the original wallet address saved in the victim’s clipboard with the attacker’s wallet address.
“Shutting down the botnet’s command and control infrastructure and arresting its authors will not protect those who are already infected with Phorpiex. Due to the nature of the blockchain the stolen money cannot be returned if we do not know the private keys of the wallets used by the malware,” Check Point warned.