The Botnet Re-emerged With New Peer-to-Peer Command and Control Infrastructure.
Last updated on December 17, 2021
Phorpiex/Trik is an SDBot fork (therefore IRC-based) used to spread GandCrab, Pushdo, Pony, and coin miners.
The previously retired Phorpiex botnet has resurfaced with new peer-to-peer command and control architecture, making the virus more difficult to destroy.
A botnet is a network of infected computers or other internet-connected devices, that communicate with each other in order to perform the same malicious actions, like launching spam campaigns or distributed denial-of-service attacks. The network can be controlled remotely by online criminals to serve their interests and, at the same time, this allows the hackers to avoid detection or legal actions by law agencies.
The Phorpiex botnet originally appeared in 2016 and swiftly grew to a vast army of over 1 million devices, and was infamous for conducting large-scale sextortion spam operations, allowing threat actors to spam over 30,000 sextortion emails each hour.
Is ‘Twizt’ the New Phorpiex?
CheckPoint researchers noticed Phorpiex propagating a new malware strain named “Twizt,” which allows the botnet to function without centralized command and control servers.
Instead, the new Twizt Phorpiex version incorporated a peer-to-peer command and control mechanism that allowed infected devices to relay orders to one other if the static command and control servers were unavailable.
Simultaneously, the C&C servers started distributing a bot that had never seen before. It was called “Twizt” and enables the botnet to operate successfully without active C&C servers, since it can operate in peer-to-peer mode.
This means that each of the infected computers can act as a server and send commands to other bots in a chain.
This new P2P infrastructure also enables the operators to modify the IP address of the main C2 servers as needed while keeping inconspicuous among a swarm of infected Windows devices.
As reported by BleepingComputer, the Twizt version includes a peer-to-peer operating mode (no C2) , a data integrity verification system, and also a bespoke binary protocol (TCP or UDP) with two layers of RC4 encryption.
Twizt may additionally download extra payloads by using a set of hard-coded base URLs and routes, or by receiving the necessary instruction from the C2 server.
Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.