Security analysts found new attacks that targeted cryptocurrency investors from India, Nigeria, Ethiopia, and other countries, allegedly performed by threat actors who use a Phorpiex botnet variant or ‘Twizt.’ The botnet is exploited so threat actors can steal cryptocurrency from their victims in a technique called ‘crypto clipping.’
Typically, crypto wallet addresses are long. That is why most systems let users copy and paste these wallet addresses to simplify transactions. Threat actors exploit the Phorpiex botnet by substituting the targeted wallet address with their own wallet address to steal the crypto coins.
The analysts also said that there were over 900 transactions that had been intercepted by the threat actors and noted that the Phorpiex botnet could operate even with no active command-and-control (C2) servers. For this reason, threat actors can sidestep security mechanisms, and all infected machines can further widen the Phorpiex botnet.
The Phorpiex botnet was developed in 2016 and was first notorious as a tool used for sextortion and crypto-jacking and known as a botnet that operates via IRC protocol.
However, it eventually evolved as a tool used in ransomware operations.
It was May of 2021 when Microsoft has released a blog post about the Phorpiex botnet and warned its readers about its infrastructure being diversified to become a more potent tool for cyberattacks and to disseminate dangerous payloads toward victims.
The C2 server of the Phorpiex botnet has reportedly dropped last August 2021, and its creator has sold the botnet for sale in the darknet. However, the experts said that despite the C2 servers being down, any threat actors who can own the botnet’s source code could set it up and enhance it using its past infected systems.
The botnet was not confirmed to be sold to another threat actor, but the analysts said that its C2 servers had been found online using a new IP address within a few weeks. Since this new restart after the hiatus, it was discovered that the Phorpiex botnet can now operate without a C2 server because of its peer-to-peer mode. Being able to operate without a C2 server means that the infected machines are the ones to act as a server and give commands to other bots through a chain.
Since the new features made the Phorpiex botnet more stable and dangerous, reports said they had been more consistent in attacks and targeted 96 different countries, including India, Nigeria, and Ethiopia.
Security experts have strongly advised cryptocurrency investors worldwide to verify the wallet addresses they copy and paste cautiously to avoid sending their assets to unintended receivers. They also added that the investors must send test transactions using small amounts, especially before conducting large trades.