Phorpiex Botnet Is Becoming Harder to Disrupt
The Botnet Re-emerged With New Peer-to-Peer Command and Control Infrastructure.
Phorpiex/Trik is an SDBot fork (therefore IRC-based) used to spread GandCrab, Pushdo, Pony, and coin miners.
The previously retired Phorpiex botnet has resurfaced with new peer-to-peer command and control architecture, making the virus more difficult to destroy.
A botnet is a network of infected computers or other internet-connected devices, that communicate with each other in order to perform the same malicious actions, like launching spam campaigns or distributed denial-of-service attacks. The network can be controlled remotely by online criminals to serve their interests and, at the same time, this allows the hackers to avoid detection or legal actions by law agencies.
The Phorpiex botnet originally appeared in 2016 and swiftly grew to a vast army of over 1 million devices, and was infamous for conducting large-scale sextortion spam operations, allowing threat actors to spam over 30,000 sextortion emails each hour.
Is ‘Twizt’ the New Phorpiex?
CheckPoint researchers noticed Phorpiex propagating a new malware strain named “Twizt,” which allows the botnet to function without centralized command and control servers.
Instead, the new Twizt Phorpiex version incorporated a peer-to-peer command and control mechanism that allowed infected devices to relay orders to one other if the static command and control servers were unavailable.
Simultaneously, the C&C servers started distributing a bot that had never seen before. It was called “Twizt” and enables the botnet to operate successfully without active C&C servers, since it can operate in peer-to-peer mode.
This means that each of the infected computers can act as a server and send commands to other bots in a chain.
This new P2P infrastructure also enables the operators to modify the IP address of the main C2 servers as needed while keeping inconspicuous among a swarm of infected Windows devices.
As reported by BleepingComputer, the Twizt version includes a peer-to-peer operating mode (no C2) , a data integrity verification system, and also a bespoke binary protocol (TCP or UDP) with two layers of RC4 encryption.
Twizt may additionally download extra payloads by using a set of hard-coded base URLs and routes, or by receiving the necessary instruction from the C2 server.
How Can Heimdal™ Help?
Our Threat Prevention, awarded with the Cloud-Delivered Security Solution of the Year at the Networking Computer Awards 2021, can help you scan the DNS, HTTP, and HTTPS traffic and detect malicious activity. Inbound and outbound traffic is scanned and threats are prevented with a 96% accuracy, as the product encompasses successfully machine learning, AI-based prevention, and also cybercrime intelligence.