Phorpiex, the botnet known for its diverse infrastructure and extortion campaigns, has resurfaced with its new variant named Twizt. Now, the botnet is using a method called crypto clipping in an attempt to steal cryptocurrency.
What has happened?
According to CheckPoint, the botnet is now capable of working without active C2 servers. This allows it to easily avoid security. Additionally, it can operate in a peer-to-peer mode that widens the scope of its infection to multiple devices.
The attackers replace the targeted wallet address with their own wallet address. So far, the researchers have observed 969 such hijacked transactions.
Last year, Twizt operators stole 55.87 Ether, 3.64 Bitcoin, and $55,000 in ERC20 tokens, amounting to about $500,000 in total.
Each of the infected devices can be used to act as a server and send commands to other bots. Further, Twizt reconfigures home routers supporting UPnP with port mapping for incoming connections.
The bot now uses its own binary protocol over UDP/TCP with two layers of RC4-encryption. Due to this development, the botnet became more stable and dangerous.
In the last two months, there has been an increase in attacks aimed at different countries.
The new attacks are targeting cryptocurrency users in Nigeria, India, Ethiopia, and 93 other countries.
The botnet operators are believed to be from Ukraine.
Twizt has support for 30 different cryptocurrency wallets, such as Dash, Ethereum, Bitcoin, and Monero. This makes the attack surface broader and almost anyone using crypto could be targeted.
Previously, Phorpiex served a different purpose by dropping Avaddon ransomware by dropping a Zip file attachment.
The transformation of Phorpiex into a peer-to-peer botnet operating without a central C2 server makes it a sophisticated threat. Moreover, the cryptocurrency clipping technique can enable attackers to make huge profits. Implementing proper cybersecurity hygiene can help crypto users stay safe.