Phorpiex Botnet into Cryptomining

Researchers have observed a new variant of the Phorpiex botnet targeting cryptocurrency users and stealing funds through a “cryptocurrency clipping.” Primarily conducted crypto jacking, ransomware, cryptocurrency clipping, and sextortion spam campaigns. This past summer, the botnet’s C2 server activity dropped, and its gone offline.

But the C2 servers were back online under a different IP address, spreading a bot that had never been seen before. This bot, dubbed “Twizt,” enables the botnet to operate without active C2 servers because it can run in peer-to-peer mode, the researchers explain. Each infected machine can act as a server and send commands to other bots in a chain.

Check Point’s telemetry revealed “an almost constant number of Phorpiex victims” that continued even when its C2 servers were inactive. The threat has been seen in 96 countries, with most victims in Ethiopia, Nigeria, and India. Numbers have started to increase in the last two months.

Researchers Report

The botnet uses cryptocurrency clipping, or crypto-clipping, a method in which attackers steal cryptocurrency during a transaction by substituting the original wallet address saved in the clipboard with their wallet address. It’s common to use the clipboard to copy and paste a long cryptocurrency wallet address.

If a malware implements the crypto-clipping functionality, it can work successfully without any C&C servers,when the Phorpiex C&C servers go down there is no down time because hundreds of thousands of bots remain installed and continue to steal victims’ money.

Researchers Statement

They found 60 Bitcoin wallets and 37 Ethereum wallets used by the Phorpiex crypto-clipper. In the one-year period ending November 2021, Phorpiex bots hijacked 969 transactions and stole 3.64 Bitcoin, 55.87 Ether, and $55,000 in ERC20 tokens. The value of these stolen amounts in current prices is nearly $500,000 USD.

Indicators of Compromise

• d5516838dbec985f8e893bb145b364ee3f6060dec3d30967b21309041283dfd1
• 4b355796a710bec51e37958a39ca0fb28f462f80b15b3e42162bf47cdf0fca79
• f3fd26579b32378c1115937a1aea5daa2dc4d9f11c7c69c3f6878962e31e6fdc
• 7d72f66070b144fdd4d0fcbe39c732d1943b5836c8da1d469da876c27775808e
• 143e15adc8d63526b124a401fe1182a44542fb79f22fc17c602151a839c22682
• 197286269fe0f8ef718beb337945c88e3b88683ff39c05137b71d7cd662c7ddd
• 7356a7c98588b980302a5f2340b56f75a13bdac613f7c22b62eeb4590896e506
• 555513aa074aca680c4962f0078f43445a0d382e78046623d53203d8436bad99
• 96c57e456b9cd614a632edd4563ac70cb08fc34db2c2398c2c9aaa4ed920445f
• 8f49d7e3596aff4c8cd3aa38d0dc6911ae77e54cc3b13210d95c9f38063317a9
• 1d69a55baba58f62b1448b92859a39272ba42d171f390749ca8ba9c27e74b010
• 313c731da99da31454ec6114d5a8ce03dcf9a24caf02270f9292ab7b9278b316
• 8f7bbcb3ac44aa48df92b65b7ef40c341ed80df2710668d5ac6b7207c00b581d
• cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254
• b4a5ecd4285c5431b486740ce111211df90486d4ba1fe189e5cbbcd02ec72ed3
• 68ca21ebaec1f7a40e25b348e8275c56b7fede56ea30ec2215c535f63d5f04da
• 5fae9e2f6fc2e95b5f6be3c8c0d3a76cebf18a2526913d21c67bb98be35f8247
• 63455c30d70fc9c2f3150dc8426fd1ea30884b12b4d5a74ba126698c680d7ee3
• 8d413fb17a9fb2722c36b288de4cf2564a25d11bd63673191fc9be22bffc227c
• 37c35d63111e22bb37ed6b22e5886b5178e3bdac3b50977a5aa029accfa5b195
• 3919509ed00956ca7eb30eb7717c24fcfe1da4ca6403ce68d07d5ddab43bc70c

C&C servers:

• 185.215.113[.]84
• 185.215.113[.]66
• 185.215.113[.]93
• thaus[.]ws
• gotsomefile[.]top
• geauhouefheuutiiiw[.]top
• aegieuueueuuruia[.]ru
• toruuoooshfrohfe[.]su
• gimmefile[.]top