Phorpiex botnet variant used for cryptocurrency attacks
Cryptocurrency users in Ethiopia, Nigeria, India, Guatemala, and the Philippines are being targeted by a new Phorpiex botnet variant named Twizt which resulted in the theft of cryptocurrency amounting to $500,000 over the last one year.
According to Israeli security firm Check Point Research, which had detailed the attacks, the latest evolutionary version permits the botnet to operate successfully without active [command-and-control] servers. It supports around 35 wallets associated with different blockchains, including Bitcoin, Ethereum, Dash, Dogecoin, Litecoin, Monero, Ripple, and Zilliqa, to facilitate crypto theft.
Phorpiex, also known as Trik, is known for its sextortion spam and ransomware campaigns as well as cryptojacking, in which the the targets’ devices such as computers, smartphones, and servers are leveraged to secretly mine cryptocurrency without their knowledge.
It also uses a technique called cryptocurrency clipping, which involves stealing cryptocurrency in the process of a transaction by deploying malware that automatically substitutes the intended wallet address with the threat actor’s wallet address.
Check Point had identified 60 unique Bitcoin wallets and 37 Ethereum wallets used by Phorpiex.
The botnet operators have shut down and put its source code for sale on a dark web cybercrime forum in August 2021. Butt the command-and-control (C&C) servers resurfaced two weeks later to distribute Twizt.
The clipping technique once deployed can work even in the absence of any C&C servers and siphon money from victims’ wallets. So each of the infected computers can act as a server and send commands to other bots in a chain. These types of features indicates that the botnet may become even more stable and hence, more dangerous.
Phorpiex-infected bots was spotted in 96 countries, topped by Ethiopia, Nigeria, and India. The botnet is estimated to have hijacked almost 3,000 transactions with a total value of approximately 38 Bitcoin and 133 Ether.
However, it is worth noting that the botnet is designed to halt its execution if the infected system’s locale be defaulted to Ukraine, suggesting that the botnet operators are from the East European nation.
Image Credits : ipFail
The post Phorpiex botnet variant used for cryptocurrency attacks first appeared on Cybersafe News.
